CoBIT is the short name for Control Objectives for Information and Related Technologies. First published in April 1996, CoBIT is the foremost internationally recognized framework for IT governance and control. The most recent version, CoBIT 4.0, was released in 2005.

CoBIT was developed by the IT Governance Institute (ITGI) using a worldwide panel of experts from industry, academia, government, and the IT security and control profession. In-depth research was conducted across a wide variety of global sources in order to pull together the best ideas from all germane technical and professional standards.

CoBIT Concepts

CoBIT divides its primary control objectives into four domains: plan and organize, acquire and implement, deliver and support, and monitor and evaluate. Each of the domains shows the key IT control activities associated with that area. The framework highlights seven qualities of information:

  • Effectiveness

  • Efficiency

  • Confidentiality

  • Integrity

  • Availability

  • Compliance

  • Reliability

There are 34 high-level control objectives and 215 lower-level control activities that are outlined within the CoBIT framework. IT resources are defined as people, applications, infrastructure, and information.

The model shows how all IT activities need to support the governance objectives that, in turn, support the business objectives. The control activities of the four domains work together in a cyclic manner to produce a well-governed IT support organization that produces optimal results based on the priorities and resources of the organization.

The CoBIT framework goes on to elaborate on each of the control activities by providing detailed auditing guidelines (Figure 13-3).

image from book
Figure 13-3: CoBIT framework.

CoBIT Features

Following are some are some additional features that CoBIT provides:

  • CoBIT represents a generally applicable and internationally accepted standard of good practice for IT controls.

  • CoBIT is independent of technical platform.

  • CoBIT is management and business process owner-oriented.

  • CoBIT has become the international de facto standard for IT governance.

The nonprofit, independent ITGI ( is a research entity affiliated with ISACA. ITGI was established in 1998 to advance international thinking and standards in directing and controlling an enterprise's IT. In addition, ITGI offers original research and case studies to assist organizations and boards of directors in managing their IT resources.

ISACA ( is a recognized worldwide leader in IT governance, control, security, and assurance, with more than 50,000 members in over 140 countries. Founded in 1969, ISACA sponsors international conferences, publishes the Information Systems Control Journal, and develops international information systems auditing and control standards. Additionally, ISACA administers the globally respected Certified Information Systems Auditor (CISA) designation and the Certified Information Security Manager (CISM) designation.

IT Governance

ISACA was an early promoter of the IT governance concept. It created the ITGI to assist enterprise leaders in their responsibility to ensure that IT goals align with those of the business by ensuring that IT delivers value, performance is measured, resources are allocated properly, and risks mitigated.

ITGI provides the following definition: "IT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives."

The growing need for IT governance tools and techniques was fueled by the following factors:

  • Growing complexity of IT environments

  • Fragmented or poorly performing IT infrastructures

  • User frustration leading to ad hoc solutions

  • IT costs perceived to be out of control

  • IT managers operating like firefighters

  • Communication gap between business and IT managers

  • Increasing pressure to leverage technology in business strategies

  • Need to comply with increasing laws, standards, and regulations

  • Scarcity of skilled staff

  • Lack of application ownership

  • Resource conflicts/shifting priorities

  • Impaired organizational flexibility and nimbleness to change

  • Concern for risk exposures

  • Volatile organizational, political, or economic environment

IT Governance Maturity Model

ITGI developed a maturity model for the internal control of IT that provides to organizations a pragmatic and structured approach to measuring how well developed their processes are against a consistent and easy-to-understand scale. The maturity model was fashioned after the one originated by the Software Engineering Institute (SEI) for software development. SEI is a federally funded research and development center sponsored by the U.S. Department of Defense and operated by Carnegie Mellon University.

ITGI expanded the basic concept of the maturity model by applying it to the management of IT processes and controls. The principles were used to define a set of levels that allow an organization to assess where it is relative to the control and governance over IT. As shown in the Figure 13-4, these levels are presented on a scale that moves from nonexistent on the left to optimized on the right. By using such a scale, an organization can determine where it is and define where it wants to go, and if it identifies a gap, it can do an analysis to translate the findings into projects. Reference points can be added to the scale. Comparisons can be performed with what others are doing if those data are available, and the organization can determine where emerging international standards and industry best practices are pointing for the effective management of security and control. A description of the ITGI rating is given in Figure 13-5.

image from book
Figure 13-4: IT Governance Institute maturity scale.

image from book

Maturity Model for Internal Control

Maturity Level

Status of the Internal Control Environment

Establishment of Internal Controls

0 Nonexistent

There is no recognition of the need for internal control. Control is not part of the organisation'n culture or mission. There is a high risk of control deficiencies and incidents.

There is no intent to assess the need for internal control. Incidents are dealt with as they arise.

1 Initial/ ad hoc

There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganised, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities.

There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessment addresses only the actual incident.

2 Repeatable but Intuitive

Controls are in place but are not documented. Their operation is dependent on knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exit and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritised or consistent. Employees may not be aware of their responsibilities.

Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist An informal workshop approach, involving IT managers and the team involved in the process, is used to define an adequate approach to controls for the process and to motivate an agreed action plan.

3 Defined Process

Controls are in place and are adequately documented. Operating effectiveness is evaluated on a periodic basis and their is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control.

Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requirements and the root cause of gaps and to develop improvement opportunities. In addition to facilitated workshops, tools are used and interviews are performed to support the analysis and ensure that an a IT process owner owns and drives the assessment and improvement process.

4 Managed and Measurable

There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.

IT process criticality is regularly defined with full support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these processes, following a thorough and measured analysis involving key stakeholders. Accountability for these assessments is clear and enforced. Improvement strategies are supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organised occasionally.

5 Optimized

An enterprisewide risk and control programme provides continuous and effective control and risk issues resolution. Internal control and risk management are integrated with enterprise practices, supported with automated real-time monitoring with full accountability for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and root cause analyses. Employees are proactively involved in control improvements.

Business changes consider the criticality of IT processes, and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at the right level of maturity to meet business needs and they consider maturity attributes to find ways to make controls more efficient and effective. The organisation benchmarks to external best practices and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned.

image from book

Figure 13-5: IT Governance Institute maturity model for internal control.

The COSO-CoBIT Connection

Figure 13-6 illustrates how CoBIT carries forward the COSO concepts by providing the domains, processes, and control activities for the IT world that guide an enterprise toward meeting the internal control requirements it deems appropriate for its own environment. For more information on CoBIT, visit For more information on CoBIT visit

image from book

Note The COSO mapping is based on the original COSO framework. The mapping also applies generally to the later COSO Enterprise Risk Management--Integrated Framework, which expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the original COSO internal control framework, but rather incorporates the internal control framework within it, users of CoBIT may choose to refer to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.

Figure 13-6: CoBIT-COSO relationships.

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159 © 2008-2017.
If you may any questions please contact us: