COBIT and its Utilization: A framework from the literature
Gail Ridley University of Tasmania
Judy Young University of Tasmania
Peter Carroll University of Tasmania
The Control Objectives for Informationand Related Technology (COBIT) is a “trusted” open standard [15: p.33] that is being used increasingly by a diverse range of organizations throughout the world. COBIT is arguably the most appropriate control framework to help an organization ensure alignment between use of Information Technology (IT) and its business goals, as it places emphasis on the business need that is satisfied by eachcontrol objective . This paper reports on the use of a simple classification of the published literature on COBIT, to highlight some of the features of that literature. The appropriate alignment between use of IT and the business goals of an organization is fundamental to efficient and effective IT governance. IT governance “…is the structure of relationships and processes to develop, direct andcontrol IS/IT resources in order to achieve the enterprise’s goals” [12: p.9]. IT governance has been recognized as a critical success factor in the achievement of corporate success by deploying information through the application of technology . The importance of IT governance can be appreciated in light of the Gartner Group’s finding that large organizations spend over 50% of their capitalinvestment on IT . However, research has suggested that the contribution of IT governance varies in its effectiveness . IT control frameworks are designed to promote effective IT governance. Recent pressures, including the failure of organizations such as Enron, have led to an increased focus on corporate accountability. For example, the Sarbanes-Oxley Act of 2002 introduced legislation thatimposed new governance requirements . These and other changes have resulted in a new corporate governance model with an increased emphasis on IT governance, which goes beyond the traditional focus of corporate governance on financial aspects .
2. Mechanisms to Promote Effective IT Governance
In part as a response to new governance requirements, increasing emphasis has been placed oninternal controls in organizations. Controls are activities that are undertaken either to eliminate risks or reduce them to a level that is considered acceptable . The “rules, policies and procedures involved in managing an organization’s risks [are considered] as the system of internal controls” [15: p.32], where internal control is designed to give “reasonable assurance” on the achievement ofobjectives relating to the “efficiency and effectiveness of operations”, the “reliability of financial reporting” and compliance with relevant laws and regulations . The development of frameworks of internal control objectives to allow for international standardization has arisen also from pressure by auditors. Without a framework it is difficult for auditors to be able to substantiate theirview on internal control . In recent years a range of documents has been issued that aimed to assist with the definition, assessment, reporting on and improvement of internal control in organizations . These include COBIT, Committee of Sponsoring Organizations (COSO), the Institute of Internal Auditors Research Foundation’s Systems Electronic Security Assurance and Control (eSAC) and the ITInfrastructure Library (ITIL). Although such documents have been developed to address different needs and audiences, many of them have built on the contribution of previous documents and consider much the same internal control concepts . For example, amongst others, COBIT has drawn on both COSO and a predecessor of eSAC.
While a range of frameworks, standards and documents related...