The Pervasiveness of COBIT

COBIT—which turned 20 this year— not only has technical value, but is also an enabler that can improve our careers and our networking opportunities.

ISACA offers IT professionals education, conferences and training to take our careers to a higher level. These activities allow us to create and maintain rich professional contacts and, of course, friendships. In my case, ISACA and COBIT allow me to participate in IT governance and management publications, audit conferences and sustainability events.

As a COBIT follower, I think its 20th birthday is a great moment to remember how many projects have been made better because of COBIT. Or, in other words, how pervasive is COBIT?

Assessing, Identifying Organizational Risks
When you are an auditor or information systems professional, you know very well that the use of IT creates risks for your organization. As an auditor, you must assess those risks and identify and review the effectiveness of the controls that are in place to mitigate them. For example, if your business is supported by IT, you must ensure service availability, accurate and timely information, reliable IT and applications controls, physical security, regulatory compliance, competent and motivated personnel, an appropriate decision-making structure, and well-implemented government and management practices.

But when you use COBIT to audit an accounting system, questions arise:  Why are you doing this audit? For what? For whom? Of course, you use it to benefit the company, because you need to know the financial and economic situation, value of their investment, and achieved profitability.

But there are also other stakeholders, including shareholders and banks that invest or lend money, employees and customers providing and receiving services, the state and its watchdogs that ensure transparency and, finally, society in general.

Considering Sustainability and Social Responsibility
At this point, sustainability and social responsibility considerations are added to the mix, and the field of enterprise IT comes to the forefront. What is the primary role of IT? What should it be? How do IT decisions impact the economic, social and environmental aspects of the enterprise? How does IT help in an earthquake? How much does it help children to study, communicate with others, or simply imagine a better future? Can we measure that? Probably, and COBIT can help. COBIT aligns IT with business needs, whatever the business’s mission or core values are. It evaluates, directs and monitors how IT is, and will be, used.

COBIT also allows enterprises to plan, build, run and monitor all IT resources. But its value increases when a life is saved or a planet is protected by specialized or green IT:  As the International Telecommunication Union’s (ITU) 5th Green Standards Week Declaration stated:

“Think sustainable:  Bridge the gap between experts from the ICT, environment, urban planning, energy sectors and policy makers, to encourage the integration of ICTs into environmental, urban and energy policies in order to improve knowledge on the catalytic role that information and communication technologies (ICTs) can play in reducing energy consumption, increasing environmental resilience, tackling climate change impacts, and enhancing energy efficiency and promoting a circular economy.”

In other words, COBIT 5:

• Improves governance:  COBIT 5 ensures that all stakeholders are identified and their needs are evaluated to determine the enterprise’s overall goals and its associated IT-related goals.
• Improves measurement, monitoring and evaluation systems:  COBIT 5 uses indicators as management tools at various levels and in various sectors to improve monitoring and information systems at different scales.
• Assesses the roles of public and private actors:  COBIT 5 recognizes different stakeholders with different needs and obligations.
• Increases the resilience of human and natural systems:  COBIT 5 suggests stakeholder needs are related to sustainability and, thus, allows the use of its goals to cascade to ensure the identification of enterprise goals and the evaluation of possible risks that can hurt their achievement. So, the implemented

IT process will be capable of delivering outcomes even if the risk factors materialize and the conditions are not the best.

What has COBIT done for you and your organization? Please share your thoughts with ISACA’s online COBIT community.

Braga will present Using the COBIT 5 Assessment Program to Improve the Work Process Capability at the 2016 Governance Risk and Control Conference (GRC), 22-24 August 2016, in Fort Lauderdale, Florida USA.

Editor’s note:  The ISACA Now Blog section is celebrating Women in Technology Month throughout June by featuring female bloggers. If you are a female blogger and would like to contribute a blog, please contact us at [email protected].

Graciela Braga, CGEIT, COBIT 5 Foundation Certificate, CSX Fundamentals Certificate

[ISACA Now Blog]