Wipfli LLP - CPAs and Consultants
Affiliates Contact Us Careers Events About Wipfli
 
subscribe
Rate Content

 
View all General articles

CobiT: A Framework for IT Governance
July 01, 2006

by Scott Owens, PMP

In a 2005 study of nearly 700 organizations, PriceWaterHouseCoopers and the IT Governance Institute found that 87 percent of companies recognize the importance of IT in the execution of their business strategy — but fewer than 20 percent consider their IT department to have an optimal level of maturity. So what’s wrong with IT, and how can we fix it?

A fundamental misunderstanding

All organizations, including those in the health care industry, struggle to successfully implement IT. The fundamental problem: Non-IT executives typically don’t understand IT. As a result, they don’t provide the IT department with the necessary information and resources it needs to succeed. In the end, the IT department and executive management are both unhappy.

It’s no surprise, then, that IT-related topics are on the agenda at 63 percent of board meetings, with a lack of transparency and a disconnect between the business and its IT department being high on the list of concerns, according to the IT Governance Institute.

Seeking a solution

Most readers will agree that this situation cannot continue. Because IT supports the business in increasing capacities, it is essential that executives effectively manage IT. The question is, how can that be done to everyone’s satisfaction?

One option is a “control framework.” In other words, a health care organization’s IT structure, policies, and procedures or practices must be designed to provide reasonable assurance that its business objectives will be achieved and undesirable events will be prevented or detected and corrected.

Do you need a control framework?

All effective organizations have some level of control over their processes. The question is, do you need more? To answer this question, the IT Governance Institute suggests you should answer the following questions:

  •  Is IT achieving its objectives?
  •  Is IT resilient enough to learn and adapt to changing conditions?
  • Does IT consistently follow standardized procedures and best practices?
  • Does IT methodically and wisely identify and manage the risks it faces?
  • Does IT communicate effectively to executive management?
  • Does IT align its projects with business strategies?
  • Does IT link its activities to business requirements?
  •  Is IT measuring its performance against scorecards or other metrics?
  • Is IT effectively optimizing its budget?
  • Is IT providing transparency to its actions?

If you answered no to any of these questions, you could benefit from an IT control framework.

Defining a control framework

The Control Objectives for Information and Related Technology (CobiT) control framework is a model for IT governance. It defines all IT processes, then maps these processes to IT governance “focal points.” These focal points, in turn, are linked to the business’s goals.

By implementing CobiT, an organization can ensure that IT aligns itself with the business’s strategies; that management understands and supports the role of IT; that all IT activities and processes have unambiguous ownership; and that IT risks are identified and managed responsibly.

It also facilitates regulatory control requirements, such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act (SOX), the Gramm Leach Bliley Act, the USA Patriot Act, the International Organization for Standardization (ISO) 17799 and 9001, the North American Electric Reliability Council (NERC), and Supervisory Control and Data Acquisition (SCADA).

Thanks to CobiT, processes and costs can be more effectively controlled and optimized so that the organization maximizes the benefits of IT, according to the IT Governance Institute.

Compatibility with other standards

Many organizations will report that they have other performance measurement processes in place which they don’t want to disrupt. Not only can CobiT can be used with other performance measurement processes, such as scorecards and dashboards, but it makes these processes more effective.

 It has also been harmonized with a number of IT standards and best practices, including those issued by the Office of Government Commerce (OCG), the IT Infrastructure Library (ITIL), the International Organization of Standardization (ISO/TEC), the Software Engineering Institute (SEI), the Project Management Institute (PMI), and the Information Security Forum (ISF).

Organizing IT with CobiT
 
How does CobiT work? To start, it divides IT processes into four primary “domains,” each with a set of objectives. This is detailed in the table below, based on information supplied by the IT Governance Institute.

The idea is that control objectives show the relationship between IT risk criteria (effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability) and resources (people, applications, technologies, facilities, and data). Furthermore, each control objective has a specific inputs (reports, plans, test results, trends, etc.) and outputs (assessments, action plans, etc.).

How it works

CobiT involves a five-step “fill-in-the-blank” process, with the blanks to be filled in indicated by letters in the following paragraph:

Control over the IT process of [a] that satisfies the IT business requirement for IT of [b] by focusing on [c] is achieved by [d] and is measured by [e].

The details of each step (a through e) are linked to specific activities and owners. The following example, simplified from one provided by the IT Governance Institute, illustrates:

Control over the IT process of [IT risk management] that satisfies the IT business requirement for [analyzing and communicating the potential impact of IT risks on business processes and goals] by focusing on [the development of a risk management framework that is integrated with the business risk management framework] is achieved by [ensuring that risk management is fully embedded in management processes and is consistently applied; performing risk assessments; and recommending and communicating remedies] and is measured by [the percentage of critical IT objectives covered by risk assessment; the percentage of risks that have action plans; and the percentage of action plans approved for implementation].

The benefits of the CobiT methodology

The CobiT methodology is designed to provide a 360-degree view of each IT process. The result: better understanding and control of IT, which helps predict the probability of success or failure of IT activities, measure and reduce organizational risk, and thereby help improve the organization.

It’s been proven: Of the 700 organizations surveyed by PriceWaterHouseCoopers and the IT Governance Institute, 40 percent have either implemented an IT governance framework or are in the process of doing so. Of those, 25 percent are using CobiT — and 80 percent of users report that CobiT is a valuable tool in achieving their IT governance objectives, according to the 2006 IT Governance Global Status Report.

About the Author

Scott Owens, PMP, assists health-care providers and other organizations in the areas of program and project management, strategic information systems planning, enterprise system implementation, business process analysis and improvement, IT department management, and business continuity and disaster recovery planning. Please call Scott at our Milwaukee office at (414) 431-9389 or e-mail him at sowens@wipfli.com.