The Control Objectives for Information and related Technology, more commonly referred to as COBIT, is an information management and control strategy framework. It consists of principles, practices, tools and models to help enterprises improve information and technology management processes. The COBIT framework is an open standard published by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). The original version, published in 1996, focused largely on IT auditing. The latest version is COBIT 5, which was released in April 2012 and emphasizes the value information governance can provide to a company's bottom line.
The COBIT framework weaves together models and approaches used by different IT specialties, such as standards from the Information Technology Infrastructure Library (ITIL) and the International Organization for Standardization (ISO). The aim is to provide an overarching framework that incorporates different subsets of information management and control while promoting greater consistency among these areas. Unlike prescriptive requirements for a specific regulation, COBIT can be used for a wide range of enterprise needs, including information security, regulatory compliance, risk management and financial processing.
Table of contents:
How does COBIT 5 differ from COBIT 4.1?
A central tenet of COBIT 5 is the alignment of IT objectives with business objectives so that a wider business audience views information governance and control as an asset. In an effort to generate buy-in from all stakeholders in a company, including top executives and directors, the latest version emphasizes its capacity to help create business value. The goal is to "bridge the gap" between business risks, technology and control requirements.
COBIT 5 includes new processes that cover business and IT activities end-to-end so that a company can achieve an organization-wide information governance perspective. To make stakeholders' IT responsibilities and accountabilities more transparent, it offers a detailed explanation of the roles played in IT management, governance and control, with clear definitions of each player's responsibilities and involvement.
COBIT 5 includes aspects of previous versions of the framework, and integrates other ISACA standards, such as Val IT and Risk IT. It also integrates best practices established in other standards, including the Payment Card Industry Data Security Standard, Basel III and The Open Group Architecture Framework.
COBIT 5 also introduces seven enablers for meeting enterprise IT governance goals: processes; principles, policies and frameworks; organizational structures; people, skills and competencies; culture, ethics and behavior; services, infrastructure and applications; and information.
How does COBIT 5 address criticisms of earlier versions of the framework?
Previous versions of COBIT came under criticism for producing limited -- and sometimes adverse -- results. The IT benchmarking firm Compass found through an analysis of its own clients that COBIT and similar IT management and control approaches could lead to a "hot potato" environment in which stakeholders passed tasks down the line. Critics maintained that COBIT 5 encouraged a focus on paperwork and rote rule following, rather than promoting meaningful IT governance engagement and stronger accountability for it. Often, Compass found, service providers deployed COBIT and as such it was not fully integrated into the business.
COBIT 5 addresses these criticisms by encouraging businesses to manage and govern information and technology in an integrated, holistic way. It is based on five principles: meeting stakeholder needs; covering the enterprise end-to-end; applying a single, integrated framework; enabling a holistic approach; and separating governance from management.
How is COBIT used for regulatory compliance?
Publicly traded companies often use COBIT to assist in Sarbanes-Oxley Act compliance processes. The law requires chief executives of publicly traded companies to attest to the accuracy of the information in their financial reports, which necessitates reliable IT processes and controls.
As COBIT 5 Task Force co-chair Derek Oliver noted when the updated framework was released, Sarbanes-Oxley is "about corporate governance, but if you can get IT right, that really drives the compliance requirements for Sarbanes Oxley … One principle of COBIT 5 is working to meet stakeholder needs. When you're looking at COBIT, you say, who is the stakeholder? One stakeholder could be a regulatory body."
What benefits does COBIT 5 offer from a risk management perspective?
COBIT 5 is lauded for its ability to help reduce IT implementation risk. IT initiatives typically require agility and quick adaptation, and at the same time they require buy-in from users and other stakeholders. The framework can help create a collaborative culture that reflects the needs, benefits and risks of IT initiatives, according to COBIT 5 proponents.
As analyst firm Ovum points out, the COBIT 5 framework includes a change enablement approach within the implementation lifecycle that can encourage greater unity around IT deployments and reduce the chance of failure.
What shortcomings do critics see in COBIT 5?
Research analyst firm Gartner Inc. praises COBIT 5 for integrating other ISACA best practices. While Gartner analysts said this is an improvement over version 4.1, it also makes the framework more complex and "could overwhelm new users and inhibit its adoption." The analyst group argues that the new COBIT framework "ignores the blurring boundary between operational technology and information technology, which will have an increasing impact on the management of risk and delivery of value, and will require additional controls."
COBIT 5 defenders counter Gartner's criticisms by arguing that the analyst firm doesn't understand the framework and failed to recognize its guidance on how to manage information and technology.