SOX COBIT COSO - University Of Illinoiscitebm.business.illinois.edu/TWC Class/Pr… · Web view · 2006-05-17ING’s CoBIT case study ... The ING case study indicates co-variance

SOX, CoBIT, COSO Project Subra Krishnan_______________________________________________________________________

Abstract:The grand framework of SoX, COSO, CoBIT and their future trends with some

managerial caveats are introduced. Trustworthy computing usage model from Microsoft is

summarized to indicate the direction where modern software development is heading. This

would become a de facto standards for all software corporations. In COSO framework, ideas

on Enterprise Risk management is touched upon. ERM not an end in itself, but rather an

important means and helps an entity achieve its performance and profitability targets, and

prevent loss of resources. It helps an entity get to where it wants to go and avoid pitfalls and

surprises along the way. Under CoBIT, CRM and the Key Performance Indicators using

Dashboard techniques to help top management evaluate the projects is discussed and IT is a

major component of it. Some managerial intuition and how corporation are turning this new

compliance into financial opportunity. In that regard the concept of Single Compliance

platform will be the wave of the future.

Keywords: Business Risk Management, Information Trust and Compliance Issues (SOX), Trustworthy Systems Development.

Cross Link keywords: Dependable & Trustworthy Enterprises Systems, Enterprise Information Security Policy.

________________________________________________________________________Trustworthy Computing Page 1 of 18 5/8/2023


Executive SummaryAll public companies must comply with Sarbanes-Oxley. Compliance is hard work and

expensive as well, to establish effective internal controls for good corporate governance. Good

governance can be good for business. By complying, some fortune 500 companies are turning

the unavoidable costs of Sarbanes-Oxley into an opportunity, to improve business processes and

distinguish themselves in the financial community. Whatever governance you have in place

today, be ready to adapt it to make the most of future business conditions. With that in mind this

project will touch upon the grand frame work of SOX and their flow from COSO to CoBIT.

The pillars of Trustworthy Computing are essential to have robust internal controls and

essential for good governance. A case study on Microsoft’s software security with emphasis on

Security Development Lifecycle is discussed, to underscore the importance of inclusion of

Security in the initial stages of software development.

Under the CoBIT umbrella, some of it’s best practices in the form of, IT governance

implementation roadmap, is discussed at length. In particular the usage model for metrics

measurement using Dashboard concept, will help the readers to see the big picture, using ING’s

as a case study.

Under the COSO framework, Enterprise Risk Management talks about providing a

framework for management, to effectively deal with uncertainty, risk and opportunity and

thereby enhance its capacity to build value. Since no entity operates in a risk-free environment,

enterprise risk management fills the need to enable management to operate more effectively in

these environments.

No new materials are being presented here. This report is a collection of best practices

and their implementation methods.

The content that follows are:

1.Overview SOX , CoBIT, COSO

2. Trust Worthy Computing

3. Case Studies Microsoft (Security)

ING (CoBIT)

4. Emerging Trends SOX, CoBIT



1. Overview

Compliance is a form of standardization that different industry sectors have to adhere to

when doing business, by following metrics or when implementing a process. Protocols also come

under this wing. For instance when countries hosts dignitaries certain regulations are followed.

As suspected there are different kinds of regulations in the business world:

Regulations around financial controls such as Sarbanes-Oxley, Basel II.

Regulations around privacy such as the EU Data Protection Act and

Regulations around fraud such as anti-money-laundering legislation.

IT departments generally have two different roles in compliance:

1) Making sure of the availability of technology that can enable people to adhere to

compliance and

2) Ease of use of this technology.

IT needs to deal with compliance because compliance affects all businesses. Hence the

pervasiveness of IT departments. Figure 1, below illustrates the broad frame work of the

regulations in place.

Figure 1: Control Frameworks of SOX

Source: CIO guide to SOX Reymann Group Inc., Jan 2005



Sarbanes Oxley (SOX) Overview:

Thousands of companies face the task of ensuring their accounting operations are in

compliance with the Sarbanes Oxley Act. Auditing departments typically have a comprehensive

external audit (by a SOX compliance specialist) performed to identify areas of risk. Next,

specialized software is installed that provides the "electronic paper trails" necessary to ensure

SOX compliance. The most important Sarbanes-Oxley sections for compliance are listed below.

Certification and specific public actions are now required by companies to remain in SOX

compliance.

SOX Section 302 - Corporate Responsibility for Financial Reports

a) CEO and CFO must review all financial reports.

b) Financial report does not contain any misrepresentations.

c) Information in the financial report is "fairly presented".

d) CEO and CFO are responsible for the internal accounting controls.

e) CEO and CFO must report any deficiencies in internal accounting controls, or any

fraud involving the management of the audit committee.

f) CEO and CFO must indicate any material changes in internal accounting controls.

SOX Section 404: Management Assessment of Internal Controls

All annual financial reports must include an Internal Control Report stating that

management is responsible for "adequate" internal control structure, and an assessment by

management of the effectiveness of the control structure. Any shortcomings in these controls

must also be reported. In addition, registered external auditors must attest to the accuracy of the

management’s assertion that internal accounting controls are in place, operational and effective.

SOX Section 409 - Real Time Issuer Disclosures

Companies are required to disclose on a almost real-time basis, information concerning

material changes, in its financial condition or operations.

SOX Section 902 - Attempts & Conspiracies to Commit Fraud Offenses

It is a crime for any person to corruptly alter, destroy, mutilate, or conceal any document

with the intent to impair the object’s integrity or availability for use in an official proceeding.

[http://www.aicpa.org/info/sarbanes_oxley_summary.htm]



CoBIT: Control Objectives for Information and related Technologies

CoBIT was developed in 1996 by the Information Systems Audit and Control

Association (ISACA) and is now issued and maintained by the IT Governance Institute (ITGI) as

a framework for providing control mechanisms over the information technology domain.

Now in its third version, CoBIT has been extended to serve as an IT governance framework by

providing maturity models, critical success factors, key goal indicators, and key performance

indicators for the management of IT. At the heart of CoBIT are 34 high-level control objectives.

These control objectives are grouped into four main domains:

planning and organization,

acquisition and implementation,

delivery and support, and

monitoring.

More recently, CoBIT added a set of action-oriented management guidelines to provide

management direction for monitoring achievement of organizational goals, for monitoring

performance within each IT process, and for benchmarking organizational achievement.

Overall, CoBIT represents a comprehensive framework for implementing IT governance

with a very strong auditing and controls perspective, which has increasing resonance in the era of

SOX and other compliance-related regulations and legislation.

[IT governance institute and CoBIT, http://www.itgi.org]

COSO: Committee of Sponsoring Organizations (of the Treadway Commission)

The underlying premise of Enterprise Risk Management (ERM) is that every entity,

whether for-profit, not-for-profit, or a governmental body, exists to provide value for its

stakeholders. All entities face uncertainty, and the challenge for management is to determine

how much uncertainty the entity is prepared to accept, as it strives to grow stakeholder value.

Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.

Enterprise risk management provides a framework for management to effectively deal with

uncertainty and associated risk-opportunity and thereby enhance its capacity to build value. As

entities cannot operates in a risk-free environment, enterprise risk management enables

management to operate more effectively in environments filled with risks.


http://www.itgi.org/


Benefits of Enterprise Risk Management

Align risk appetite and strategy – Management considers the risk affinity by evaluating

strategic alternatives, then setting objectives aligned with strategy and in developing

mechanisms to manage the related risks.

Link growth, risk and return – ERM provides an enhanced ability to identify and assess risks,

and establish levels of risk relative to growth and return objectives.

Enhance risk response decisions – ERM provides the rigor to identify and select among

alternative risk responses – risk avoidance, reduction, sharing and acceptance. ERM

provides methodologies and techniques for making these decisions.

Minimize operational surprises and losses – Entities have enhanced capability to identify

potential events, assess risk and establish responses, thereby reducing the occurrence of

surprises and related costs or losses.

Identify and manage cross-enterprise risks – Every entity faces many risks affecting different

parts of the organization. Management needs to not only manage individual risks, but

also understand interrelated impacts.

Provide integrated responses to multiple risks – Business processes carry many inherent risks,

and ERM enables integrated solutions for managing the risks.

Seize opportunities – Management considers potential events, rather than just risks, and by

considering a full range of events, management gains an understanding of how certain

events represent opportunities.

Rationalize capital – More robust information on an entity’s total risk allows management to

more effectively assess overall capital needs and improve capital allocation.

[ER Management Framework, http://www.erm.coso.org]

Enterprise risk management is not an end in itself, but rather an important means. It

cannot and does not operate in isolation in an entity, but rather is an enabler of the management

process. Enterprise risk management is interrelated with corporate governance by providing

information to the board of directors on the most significant risks and how they are being

managed. And, it interrelates with performance management by providing risk-adjusted

measures, and with internal control, which is an integral part of enterprise risk management.

Enterprise risk management helps an entity achieve its performance and profitability

targets, and prevent loss of resources. It helps ensure effective reporting. And, it helps ensure


http://www.coso.org/


that the entity complies with laws and regulations, avoiding damage to its reputation and other

consequences. In short, it helps an entity get to where it wants to go and avoid pitfalls and

surprises along the way.

We shall now see how Trust worthy Computing fits into the IT governance model.

2. Trust Worthy Computing (TWC)The four pillars of TWC namely Security, Privacy, Reliability and Business Integrity as

illustrated below (Table A) forms the framework of TWC. These goals form the trust in any

business. All these goals raise issues related to engineering, business practices and public

perceptions although not all to the same degree. These are goals from an user point of view.

Table A: The four pillars of Trust Worthy Computing

Goals The basis for a customer's decision to trust a system

Security The customer can expect that systems are resilient to attack, and that the

confidentiality, integrity, and availability of the system and its data are

protected.

Privacy The customer is able to control data about themselves, and those using

such data adhere to fair information principles

Reliability The customer can depend on the product to fulfill its functions when

required to do so.

Business Integrity The vendor of a product behaves in a responsive and responsible

manner.

Source: UIUC TWC class Lecture slide-01

The means to achieve TWC goals of Security, Privacy, Reliability and Business Integrity

is shown on Table B. A white paper on Microsofts’ own TWC environment encompasses the

following “Means” to meet the goals. These are perspectives from an IT point of view.



Table B: Means to achieve the Goals

Means The business and engineering considerations that enable a system supplier to deliver on the Goals

Secure by Design, Secure by Default, Secure in Deployment

Steps have been taken to protect the confidentiality, integrity, and availability of data and systems at every phase of the software development process—from design, to delivery, to maintenance.

Fair Information Principles

End-user data is never collected and shared with people or organizations without the consent of the individual. Privacy is respected when information is collected, stored, and used consistent with Fair Information Practices.

Availability The system is present and ready for use as required.

Manageability The system is easy to install and manage, relative to its size and complexity. (Scalability, efficiency and cost-effectiveness are considered to be part of manageability.)

Accuracy The system performs its functions correctly. Results of calculations are free from error, and data is protected from loss or corruption.

Usability The software is easy to use and suitable to the user's needs.

Responsiveness The company accepts responsibility for problems, and takes action to correct them. Help is provided to customers in planning for, installing and operating the product.

Transparency The company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company.

Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002

The execution of “Means” is based on Intent, Implementation and evidence. This must

reflect in managerial practices as well to have a holistic view of the concepts. This is from an

organizational point of view as is shown in Table C.

Table C: Execution of Means



Intents Company policies, directives, benchmarks, and guidelines

Contracts and undertakings with customers, including Service Level

Agreements (SLAs)

Corporate, industry and regulatory standards

Government legislation, policies, and regulations

Implementation Risk analysis

Development practices, including architecture, coding,

documentation, and testing

Training and education

Terms of business

Marketing and sales practices

Operations practices, including deployment, maintenance, sales &

support, and risk management

Enforcement of intents and dispute resolution

Evidence Self-assessment

Accreditation by third parties

External audit

Source: Trustworthy Computing White paper, Craig Mundie – Oct 2002

We shall now look at some case studies from a learning perspective and how corporations

have implemented them successfully to their business models. A successful integration makes it

socially responsible form of business.

3. Case Studies & White Papers Microsoft case study for TWC:

This case discusses the Trustworthy Computing Security Development Lifecycle (SDL),

a process that Microsoft has adopted for the development of software that needs to withstand

malicious attack. The process encompasses the addition of a series of security-focused activities

and deliverables to each of the phases of Microsoft's software development process. These

activities and deliverables include

the development of threat models during software design,

the use of static analysis code-scanning tools during implementation,

the conduct of code reviews and security testing during a focused "security push" and,



before the software release it must undergo a final security review by a team independent

from its development group.

Figure 2 represent the traditional or Base model and Figure 3 represents the SDL model

currently becoming a de-facto in the software industry.

Figure 2: Standard process

Figure: 3 Newer process with built in SDL

Results: When compared to software that has not been subject to the SDL, software that has

undergone the SDL has experienced a significantly reduced rate of external discovery of security

vulnerabilities. The paper as shown in the italics, describes the SDL and experience with its

implementation across Microsoft software [Trustworthy computing security Development white paper,

Steve Lipner – Mar 2005]

Key concepts and managerial issues

Security must be considered from the initiation phase of a software development project.

Management should ALSO decide the release of the software based on security

viewpoint

Key techniques, components and models

Secure by Design and Secure by default provide the most security benefit.

Threat modeling must be continued even after the release of the software

Difficult to measure security metrics, hence use proxy metrics to measure software

security; such as threat modeling, code review, and independent Final Release Testing.


http://msdn.microsoft.com/library/en-us/dnsecure/html/sdl_01.gif

http://msdn.microsoft.com/library/en-us/dnsecure/html/sdl_02.gif


ING’s CoBIT case study (Case study on ING financial corporation):

Case Summary: ING Group is a global financial services institution of Dutch origin offering

banking, insurance and asset management to 60 million private, corporate and institutional

clients worldwide. ING is a multi product, multi distribution company, approaching the customer

through their channel of choice. The company comprises a broad spectrum of prominent

businesses that increasingly serve their clients under the ING brand.

The ING case study indicates co-variance between ING’s business performance and the

robustness of the IT governance structure supported by innovative IT portfolio analysis

(investment management approach of enterprise IT). A strong execution capability is the hidden

force behind these activities.

Apart from the CoBIT requirements, the implementation of CoBIT regulations gave the

management a clearer view of their weakness and what solutions could be adopted to mitigate

their risks and weaknesses. The key questions that can be addressed by CoBIT are:

• Is there a framework to guide business and technology management leaders to

change IT’s role within the organization and to close the gap between IT and the

business? Is IT going to support and drive this initiative?

• What are the responsibilities at the board and management levels?

• Is this a governance issue?

Figure 4 describes the IT management and governance structure in ING while Figure 5 depicts

the generic IT implementation roadmap as given by the committee. Key elements of Figure 5,

are identification of needs, envisioning the solution, planning for the same and its execution.

Identify needs:

Phase 1 of the roadmap Identifies the needs. The CoBIT Management Guidelines offer

key goal indicators (KGI) and critical success factors to help define IT goals. The CoBIT

Control Objectives and Control Practices provides guidance on critical control requirements. The

information criteria described in the Framework help define the business value and risk

mitigation. The IT resources help define the resources required to manage the risks and value.

Figure 4: IT management and Governance structure in ING



Source: Enterprise Value: Governance of IT investments – ING case study

Figure 5: ING’s IT governance implementation roadmap

Source: IT governance implementation guide

Envision the solution:

Phase 2 of the road map envisions the solution based on the current standings. The

current maturity of the IT processes (as-is) must be assessed and the appropriate target maturity

levels (to-be) are to be set. Based on the maturity attributes in the CoBIT Control Objectives and

Control Practices, the analysis of the gaps between the as-is and to-be positions are translated

into improvement opportunities. This phase uses the critical success factors and the maturity

models from the CoBIT Management Guidelines.

Plan the solution:

The third phase of the road map will suggest improvement and translate them into

justifiable projects. After approval, these projects should be integrated into an overall

improvement strategy with a detailed plan to roll out the solution. The CoBIT Control Objectives

and Control Practices can be used to prioritize improvement opportunities and the CoBIT

Management Guidelines’ Key Performance Index and Key Goal Index are available for defining

process metrics for the IT and business goals.

Implement the solution:

The sustainability of the delivery is guaranteed by the feedback provided by the

postmortem briefing and the monitoring the improvements on the corporate and IT balanced



scorecards. In this phase the KGIs and KPIs from the CoBIT Management Guidelines can be

used to establish an IT balanced scorecard and to document a post-implementation review.

Putting It Into Practice:

In looking at a complete IT project portfolio, care is taken to ensure that project

dependencies and links are taken into account. For example, infrastructure changes (which may

be defined as separate projects) may be needed to provide a platform for a new customer

relationship management (CRM) system. ING evaluates the portfolio in terms of a series of

programs, each containing a number of linked projects, rather than as a collection of totally

independent, stand-alone projects. Value proposition using the overall benefits accruing from the

ING approach include:

• Increased financial and risk transparency resulting in improved decision making on an

investment portfolio.

• Reduction of false positives (over-optimistic business cases) and false negatives (over-

pessimistic business cases) resulting in more accurate project selection, safer investments

and reduction of opportunity cost.

• Early identification of obsolete or non-performing projects resulting in significant cost

savings and avoidance of future budget overruns.

• More disciplined (operational) risk approach resulting in risk optimization and a

reduction of the need for costly provisions (economic capital).

• Identification of quality (investment grade) projects from a risk and return perspective

resulting in more focused and increased investment in promising business opportunities

(upside risk). [Enterprise Value: Governance of IT investments – ING case study]

ING believes in the adage “you cannot manage what you cannot measure.” To that

regard, to help the management in its quest for business accountability, the IT teams came out

with an IT dashboard. The IT dashboard process, which is carried out at the same time as ING’s

annual medium-term business planning exercise, provides the information necessary to:

• Enable ING to develop and benchmark appropriate metrics on IT dollars, performance

and value



• Help identify trends and enable best practices to be shared and also help managerial

actions to be taken

• Enable bench marking of metrics among different business units

• Assist senior business and IT management to exercise their governance responsibilities

over IT investments

IT Metrics:

The metrics that are collected and analyzed include the obvious yardsticks. Below are

few such instances.

• IT costs by category and by activity

• IT staff numbers and activity based cost analysis

• Outsourcing ratios

• IT costs as a percentage of total operating costs

• IT related operational risk incidents (number and value)

• IT security incidents (number and value)

Before providing an approval, ING looks at the financial transparency and risk/return metrics.

This information, together with the metrics collected, including its own solutions delivery

performance, results in a risk/return rating of ING’s IT investment portfolio and its ability to

actively manage the portfolio on the basis of the capability maturity model (CMM).

How ING’s IT dashboard was helpful for it’s IT governance:

The metrics collected through the dashboard process are merely a means to an end. The

results obtained from the analysis helped to answer such questions as:

• Why are IT expenditure forecasting out of synch with majority of competitors? This is

needed further as to ascertain whether is it a positive or negative trait.

• What is the reason for unclear financial transparency of many IT investments? This

will affect ING during consultations to scope out the clarity of the projects.

• Why the anomalies have in the IT investment portfolio in terms of risk versus return?

Therefore ING started reexamine existing IT investment portfolio.



• Why the uncertainty in project delivery time? The need for CMM was understood and

the board has taken action to require all business units to attain a defined higher level

within a specified and challenging time frame.

[Enterprise Value: Governance of IT investments – ING case study]

ING Conclusion:

1) Shareholder’s ROI is partly related to how much is spent on IT. Equally important is how the

money is spent. In the short term, best shareholder return is generated by transactional (cost

saving) projects because they emphasize standardization and efficiency, which result in lower

cost per transaction.

2) Strategic IT investments must also be pursued to create future revenue growth and to improve

sustainable financial performance for all stakeholders.

3) With a demonstrated success on IT dashboard analysis development by ING, it is considering

the potential benefits to any organization in providing similar IT value and performance as a

commercial service.

Key techniques, components and models

ING’s IT management and governance structure shows that IT is melded well within the

business strategy of ING. Figure 4 shows how ING strives to ensure that the business leaders of

the firm are informed and committed and the organization structure is established to do that.

Key concepts and managerial issues

‘Portfolio management helps overcome the disconnect in communications between the

business and IT communities. It is an excellent way to deal with the perennial questions

about IT value and IT alignment with the business’. —Bill Rosser, Gartner

The link between the leadership council and the policy board is important, and to a great

extent, the leadership council have the prime responsibility for the implementation and

execution of the IT strategy approved and led by the policy board - thus joint ownership is

essential.



4. Emerging trends, applications and issuesSingle Compliance Platform

Present day compliance effort is not well orchestrated. What this means is that companies

are trying to make multiple compliances work together by workarounds. This is similar to ERP

application sometime back (4-5 years ago) when everyone was buying applications and trying to

stitch them together. But the more systems you use, the more fragmented is your approach, and

the less accurate it is and you create more problems. Companies are wasting time and effort on

these kind of compliances. Instead they are looking for a single system integrated into their

architecture which runs as part of their IT infrastructure, and hopefully these controls will be

embedded into their business controls. This means we need to be looking into a service-oriented

architecture. [http://www.itcinstitute.com/display.aspx?id=1174]

Right now, compliance functions are being handled by about three different applications.

The consolidation of these applications could solve about 80 percent of our present day

compliance issues, in terms of ease of use, security and control measures. This would help in a

big way when financial institutions are acquiring and merging with their competitors etc.,

[http://www.itcinstitute.com/display.aspx?id=1174]

SOX future compliance:

The need for tighter access control is now a reality for the third year into SOX

compliance. Auditors are looking into availability of things like process controls (business

controls) such as order to cash, procurement, closing and like. Few software controls can

automate such needs as of today.

Process controls are used for key business processes, such as provisioning, giving people

access, and then de-provisioning them. This will act as a security deterrent. The right software

can accomplish this by having many different levels of built in controls. Two common scenarios

that demand a control be put in place are: A process which does not allow someone to be able to

create and pay a fictitious vendor, preventing duplicate invoicing.

Another instance where these features can help would be in setting the threshold

inventory level to determine if the inventory is being pilfered. One of the common ways the


http://www.itcinstitute.com/display.aspx?id=1174



inventory can be pilfered is when companies scrutinize purchase requirements based on certain

amount. If an employee purchases below the threshold level that purchase is not monitored

closely and without these control an employee an place multiple purchases below the threshold

limit and get away with it in terms of lost inventory. IT controls can prevent such problems.

CoBIT 4.0:

CoBit like the other controls will evolve as IT control objectives change and refined.

The newest additions to 4.0 are the Maturity models, Key goal indicators, key performance

indicators, critical success factors. This provides the management to assess IT’s environment

with CoBIT’s 34 level control objectives. The IT governance management guideline also touch

upon the governance of IT with the business goals of adding value while balancing risk and

return. The following chart shows the components and their relationships under CoBIT 4.0

Figure 6: Components and relationships under CoBIT 4.0

5. Conclusion and findingsI started out this project, naively, to get an idea of how to coherently knit the different

regulations mandated by the government to prevent fraudulent practices and to have a secure

transactions in all levels of business. This goal was not accomplished. Instead I got caught in the

regulations such as SOX, CoBIT, COSO. I do understand that these regulatory boards address

different issues, but the thought of unifying them under a common scheme was tempting. But I

am glad to see that some industry stalwarts have the same unifying theme and are putting them to

work slowly under the banner of “Single Compliance Platform”.



The case studies I picked (however varied), gave me an insight into why the goal of

single platform under one system is important. It would simplify the maintenance of the system

and reduce the learning curve to adhere to practices. The key lesson I saw was Regulations are

dual edged sword. They can hurt you and/or make your processes transparent. It can be a

rewarding experience in the hands of a consultant or a nightmare. But overall I do agree with the

concept and implementation of Trust Worthy Computing to be a very necessary goal for all

corporations. If only the world was a bit more honest place to live in ……..

6. Annotated references1. Trustworthy Computing White paper, Craig Mundie – Oct 2002

2. Trustworthy computing security Development white paper, Steve Lipner – Mar 2005

3. Single compliance platform: http://www.itcinstitute.com/display.aspx?id=1174

4. IT governance framework, Craig Symons, Mar 29, 2005

5. ER Management Framework, http://www.erm.coso.org

6. CIO guide to SOX, Reymann Group Inc., Jan 2005

7. http://www.aicpa.org/info/sarbanes_oxley_summary.htm

8. Enterprise Value: Governance of IT investments – ING case study

9. IT governance institute and CoBIT, http://www.itgi.org


http://www.itgi.org/

http://www.aicpa.org/info/sarbanes_oxley_summary.htm

http://www.coso.org/


Documents

SOX COBIT COSO - University Of Illinoiscitebm.business.illinois.edu/TWC Class/Pr… · Web view · 2006-05-17ING’s CoBIT case study ... The ING case study indicates co-variance