You don’t learn to walk by following rules. You learn by doing, and by falling over.’ –Richard Branson
In 1996 ISACA, the former Information Systems Audit and Control Association (now officially known as ISACA), released a new guide framework to assist financial auditors in assessing IT governance and management: COBIT (Control Objectives for Information and Related Technologies). Over the next 16 years, ISACA continued to build out the COBIT framework culminating in COBIT 4, COBIT 4.1 and COBIT 5 released in 2005, 2007 and 2012 respectively. Since that time, the framework has remained static with only small adjustments as opposed to iterative changes. Well the time has finally come for something new, COBIT 2019.
With 40 governance/management objectives that have defined purposes and are then mapped to specific core processes, COBIT 2019 has been fashioned with an overall objective of creating a tailored governance and management system that fits your organization (see the core model design below). The same is true from the audit perspective. The framework keeps a similar theme to its older, COBIT brethren, but with greater emphasis on the enterprise governance factor. Let’s look at each section in a little more detail.
Evaluate, Direct & Monitor – EDM is the new kid on the block. It houses 5 objectives that focus on a few specific, governance related, areas. These include alignment of enterprise and I&T strategies, optimization of costs and efficiency, and stakeholder buy-in.
Align, Plan & Organize – APO has been around since COBIT 5, and prior to that was simply Plan & Organize. Where EDM focused on governance, APO dials in on the managerial level. Its 14 objectives include managing organizational structure and strategy, budgeting and costs, the HR aspect of I&T, vendors, service agreements (both internal and external), risk and data.
Build, Acquire & Implement – BAI has again been around since COBIT 5, and was known as Acquire & Implement prior to that. BAI is heavily focused on managing changes to data and assets while ensuring end user availability and capacity needs are met. Weighted as equally important in this section is the Change Management process and the Project Management process.
Deliver, Service & Support – Like the two previous domains, DSS has existed since COBIT 5, and was previously known as Deliver & Support. DSS, while only containing 6 objectives, is the broadest and most IT-centric of the domains. Its attention is focused on managing operations, problems, incidents, continuity, process controls, and security. Although not specifically stated, user access would be included in this domain.
Monitor, Evaluate & Assess – MEA is the fifth and final domain, and again has been around since COBIT 5 and was previously Monitor & Evaluate. MEA has only 4 objectives, but those objectives serve to create a monitoring function that ensures compliance for APO, BAI, and DSS. These objectives include the managing of performance and conformance, internal control, external requirements, and assurance. One specific note worth mentioning is that MEA differs from EDM by concentrating on the monitoring function from an operational standpoint whereas EDM monitors from a governance (or top down) approach.
So what does all of this mean for you? Well first off, this is another tool in your toolbox to assist with ensuring your organization’s Information and Technology structure operates efficiently and effectively while managing your overall risk exposure. Secondly, you can be assured that if your auditor uses this framework (Hey YHB IT audit clients, we do! You will see the new language reflected in our reports.) to develop their audit programs, they too will have a more comprehensive program to identify organizational weaknesses. Finally, COBIT 2019 has been designed in such a way that it easily integrates with other frameworks, such as the NIST Cybersecurity Framework (CSF).
About the Author
Brad graduated from Indiana University of Pennsylvania in 2014 with Bachelor’s Degrees in Accounting and Management Information Systems. He joined YHB that same year and has since split his time between both the Bank team and the Risk Advisory Services team completing external and internal financial audits, SOX consulting services, and IT related audit and consulting services. Brad became a Certified Information Systems Auditor in early 2019.