Case Studies 

Consulting/IT

Enterprise Date

OracleSun Microsystems/Oracle January 2012

How Used?

Sun/Oracle has found COBIT matrices and mapping documents very helpful when talking about how the various frameworks all fit together. The enterprise has successfully leveraged the concepts in the COBIT-related materials to create discussion of health and maturity self-assessments, provide a line of sight between its activities and its business goals, bring predictability and reliability to how the IT group plans and manages the work across the enterprise, and complement its corporate planning cycle with an “IT management cycle.”

Why COBIT?

  • COBIT provided a useful supporting toolset for the enterprise to govern and manage the IT contribution to the enterprise.
  • COBIT harmonized the enterprise’s many existing frameworks.
  • A COBIT champion ensured that the organization could get really serious about improving governance and management of enterprise IT.
  • A COBIT-inspired model helped all groups see how their work fit under an overall umbrella and how their work related to each other’s work.

Enterprise Date

Maitland LogoMaitland July 2011

How Used?

Maitland utilized COBIT to create a shared understanding of information and communication technology (ICT) and its purpose and impact on the enterprise and to increase business oversight and accountability for ICT.

Why COBIT?

  • Is a globally recognized framework.
  • Provides universally applicable governance principle
  • Increases business oversight

Enterprise Date

Dongbu LogoDongbu HiTek January 2009

How Used?

The company used COBIT to standardize its business processes based on global standards, comply with K-SOX and ISO 27001, and implement IT governance for Real Time Enterprise (RTE).

Why COBIT?

  • It provides global best practices for IT business processes.
  • It is complementary with major international standards, ITIL, the ISO 27000 series and PMBOK.
  • It provides a common language.

Enterprise Date

Jefferson Wells LogoJefferson Wells, USA November 2007

How Used?

Jefferson Wells used COBIT to assess existing controls and make recommendations on new controls for a client. For the IT controls, there is an assessment form that maps COSO to COBIT, and results are recorded directly into a database.

Why COBIT?

  • COBIT helped break down (COSO-related) information into understandable requirements.
  • Comprehensive guidance helped the client’s organization build the high-priority controls it needs.

Enterprise Date

The Manta Group, Canada December 2006

How Used?

COBIT helped clients improve their processes and achieve alignment with business goals through relevant and practical controls and metrics.

Why COBIT?

  • Is the only internationally accepted framework to provide a complete model for governing and attaining value from investments in IT
  • Educated IT and business management regarding the value of IT governance

Enterprise Date

Sun Microsystems LogoSun Microsystems, USA June 2005

How Used?

In light of Sarbanes-Oxley and other legislation, Sun’s IT department sought a common framework to view and measure IT’s alignment and contribution to the overall business strategy.

Why COBIT?

  • Supported IT control activities in a resource-constrained environment.
  • Enabled a common language to be used across processes

Enterprise Date

Unisys logo Unisys Corporation, USA September 2005

How Used?

COBIT helped Unisys standardize IT strategy to support global operations, align the IT infrastructure with the company’s overall business strategy and help with Sarbanes-Oxley compliance.

Why COBIT?

  • Is an external standard against which to be measured
  • Provided a comprehensive view of the IT enterprise and a good approach to problem-solving

Education

Enterprise Date

Blackboard Inc.April 2007

How Used?

COBIT is a powerful way to navigate change and improve IT governance.

Why COBIT?

  • Helps IT leaders assess current operations and incorporate them into due diligence activities
  • Creates strong relationships with external auditors

Energy

Enterprise Date

Adnoc LogoAdnoc Distributions December 2008

How Used?

Adnoc then implemented the three most important and relevant COBIT processes, according to the current budget and resources availability. The three processes selected focused on change management, business continuity and service level management.Currently, Adnoc uses COBIT in combination with other best practices, including portions of ITIL, as well as ISO 27001 and PMBOK standards. Additional COBIT processes, including one related to data management, have been identified for the next phase of implementation.

Why COBIT?

  • Adnoc felt that no other standard offered a complete framework to address all the elements of a process, including measurements, key performance indicators (KPIs) and key goal indicators (KGIs)
  • Found to be more general and business-oriented than other standards/frameworks
  • Encompasses most of the elements of an IT environment, while most other standards/frameworks focus on one respective area

Enterprise Date

Ecopetrol SA

June 2010

How Used?

The Information Technology Division chose COBIT as the proper IT governance framework to integrate an IT management system. Ecopetrol chose to implement 28 COBIT processes, giving priority to the control objectives that support Sarbanes-Oxley compliance.

Why COBIT?

  • It enables mapping of IT goals to business goals.
  • It results in better alignment, based on a business focus.
  • It provides a view of what IT does that is understandable to management.
  • It indicates clear ownership and responsibilities based on process orientation.
  • It is generally accepted by third parties and regulators.

Financial Services/Insurance

Enterprise Date

Anonymous April 2013

How Used?

This bank chose COBIT 4.1 to address a great deal of challenges it was facing with day-to-day IT service delivery. The project was bundled with a security assessment exercise. The project kicked off with an assessment, which was documented using the COBIT 4.1 Implementation Tool Kit. Following the determination of business and IT goals, the core of the gap assessment exercise commenced. The focus was on the 34 processes, not on the 210 controls. Several interviews and process review sessions then followed from Plan and Organize (PO) all the way to Monitor and Evaluate (ME), although not necessarily in order as sessions were based on available resources.

Why COBIT?

  • COBIT 4.1 provided the most rounded approach to achieving the desired outcomes.

Enterprise Date

TT Hellenic PostbankTT Hellenic Postbank October 2012

How Used?

TT Hellenic Postbank’s IT audit function uses COBIT 4.1 to define the audit universe on which IT audits are performed, to create tactical and strategic risk-based audit plans and to conduct audit engagements.

Why COBIT?

  • COBIT is a widely accepted international IT governance framework.
  • COBIT 4.1’s maturity model and detailed control objectives allow for a clearer understanding of the current level of effectiveness and control over IT processes.
  • COBIT helped to easily customized the solution for the needs of each organization and mapped with other commonly accepted assurance frameworks.

Enterprise Date

ScotiabankScotiabank (BNS), Costa Rica July 2012

How Used?

In 2009, COBIT 4.0 implementation became mandatory for financial entities in Costa Rica. Since then,COBIT 4.0 has been used as the overall guidance framework to achieve a third level of maturity for each identified COBIT process. BNS Costa Rica met compliance with this regulation by creating a route plan to achieve control objectives: implementing good IT governance practices and controls; executing independent external audits, led by CISA-certified professionals; and providing COBIT and IT governance training to strengthen the knowledge of personnel participating in the implementation process.

Why COBIT?

  • COBIT helped to achieve a stronger alignment among business and IT strategies.
  • COBIT helped in the creation of processes with internationally accepted, auditable and measurable structures that integrate the best practices in the banking industry.
  • COBIT assisted the organization with key controls identification to ensure internal IT control.
  • COBIT proved useful in the creation of reliable processes to strengthen the application of practices related to the five elements of control that constitute good IT governance.

Enterprise Date

National Stock ExchangeNational Stock Exchange (NSE) of India Limited January 2012

How Used?

NSE’s risk management framework was developed based on Risk IT, a component of COBIT. Due to the criticality of NSE’s business operations—and the frequent changes in its IT infrastructure—the decision was made to focus on risk management as an integral element of its day-to-day business processes. NSE concluded that changes in risk need to be tracked on an ongoing basis and defined a monitoring process for continuous updating of changes in the risk profile.

Why COBIT?

  • Risk IT provided control objectives to identify control gaps and to assess the impact of controls on the risk profile.
  • Risk IT helped NSE build a uniform structure and view of IT risk across the organization.
  • Risk IT provided a granular guidance on risk management processes.
  • Risk IT helped to link IT risk with business objectives.

Enterprise Date

Grupo BancolombiaGrupo Bancolombia January 2011

How Used?

Grupo Bancolombia used COBIT to create a shared vision, unique language, alignment between business strategic planning and IT strategic planning, and clarity in roles and responsibilities.

Why COBIT?

  • Is used worldwide by auditors to verify adherence to and compliance with IT internal controls
  • Helps to ensure compliance with the US Sarbanes-Oxley Act and other global legislation
  • Provides a proactive approach to improving technology processes and services

Enterprise Date

Banco Supervielle S.ABanco Supervielle S.A. November 2010 (Spanish)

How Used?

Banco Supervielle S.A. used COBIT to create an IT governance framework that enabled the bank to provide training and awareness of internal controls and best practices; to redefine roles, responsibilities and IT internal processes; to implement a control dashboard; and to initiate risk administration.

Why COBIT?

  • Recommended by the local ISACA chapter
  • Most closely matched the bank’s needs
  • Facilitated the bank in measuring its current maturity level, its desired maturity level and estimated time to achieve it

Enterprise Date

A global bank July 2010

How Used?

A global bank used COBIT successfully to provide a common language for multiple technology and business teams, streamline the company’s list of controls, and manage risk and control process for Sarbanes-Oxley and other regulations.

Why COBIT?

  • COBIT provided a common governance and assurance process across technology teams.
  • COBIT helped in developing and managing a single list of controls for each type of risk.
  • COBIT provided confidence to senior executives on the reporting and attestation process.

How Used?

When developing a program that addressed Sarbanes-Oxley, the team realized that they needed the COBIT control framework because it allows them to “own” their IT controls.

Why COBIT?

  • COBIT is the only IT management and control framework that covers the end-to-end IT life cycle.
  • COBIT maps 100% to COSO.

Enterprise Date

Central Bank of the Republic of ArmeniaCentral Bank of the Republic of Armenia February 2009

How Used?

The IT audit division uses COBIT when performing audits, and risk assessments are conducted according to COBIT processes.

Why COBIT?

  • The board selected COBIT after conducting global research and finding that COBIT was well known and internationally respected.

Enterprise Date

ICW GroupJanuary 2009

How Used?

ICW Group’s CIO presented the Val IT tool set from ISACA to senior management as the most effective way to both mature the organization and deliver high-quality solutions.

Why COBIT?

  • Val IT is helping the organization achieve ambitious goals by enabling it to make smart decisions that deliver the best business value.
  • Val IT’s proven practices provide practical guidance that helps it reduce costs and increase control.

Enterprise Date

Pension–Fennia October 2008

How Used?

Pension–Fennia used COSO ERM and COBIT to maximize its effectiveness and optimize the maturity of its controls. By using this combined approach, the organization was able to clarify the mutual goals and responsibilities of its business units and IT.

Why COBIT?

  • To use COBIT’s maturity approach as a complement to COSO ERM
  • To deepen the synergy and mutual understanding between business units and IT, and between IT and its service providers.

Enterprise Date

Kuwait Turkish Bank LogoKuwait Turk Participation Bank April 2007

How Used?

Kuwait Turk initially implanted COBIT to comply with requirements set by the Banking Regulation and Supervision Agency of Turkey (BRSA), but soon realized that the use of COBIT provided many additional benefits, including more controlled and integrated IT processes.

Why COBIT?

  • Came highly recommended
  • Internationally accepted and easily maps to other leading standards

Enterprise Date

Canadian Tire Financial Services, Ltd. February 2007

How Used?

COBIT helped communicate to IT and management why they needed to care about effective controls and provide a framework for implementation.

Why COBIT?

  • COBIT was selected as the framework with which to comply because its control objectives are internationally recognized and considered to be effective at controlling IT-related processes

Enterprise Date

Prudential, Asia September 2006

How Used?

The adoption of COBIT was supported by Prudential’s CEO and board members. COBIT has helped Prudential’s Asia IT team achieve enhanced communication between IT and business operations and responsiveness in project management.

Why COBIT?

  • Helped provide a uniformed platform to sustain growth and eliminate risks

Government

Enterprise Date

U.S. Department of Veterans Affairs June 2009

How Used?

A new organizational structure for centralized IT management was based on industry best practices including COBIT and Val IT, both of which provide a framework for IT governance plans, structures and investments.

Why COBIT?

  • Bridges the gaps among control requirements, technical issues and business risks.
  • Enables clear policy development and best practices
  • Emphasizes regulatory compliance

Enterprise Date

Government of DubaiGovernment of Dubai April 2009

How Used?

The Financial Audit Department (FAD), the supreme audit institution of Dubai, recognized the need to promote, formalize and improve IT governance practices within Dubai as the extensive usage of IT is widely accepted as an essential component in providing services to citizens, residents and business entities.

Why COBIT?

  • Team members of the IS audit section of FAD are mostly members of ISACA who hold the CISA, CISM or CGEIT designation. COBIT had already been adopted as the resource serving as the overall framework for IS audit methodology since 2000.
  • The team decided to promote the best practices of COBIT resources among its audit community. COBIT provides control objectives, control practice statements and other resources supporting assurance processes as a global reference framework and benchmark.

Enterprise Date

European ParliamentJanuary 2009

How Used?

The European Parliament used the Val IT framework to implement a multi-annual IT plan, prioritising IT investments and business-as-usual work requests following solid, transparent, objective and widely accepted criteria, which are in line both with the IT strategy and with Parliament’s general long-term goals.

Why COBIT?

  • The European Parliament identified the right projects to implement, and has a way of following up on the benefits generated by these projects.
  • Transparency allows EP to create consensus between business users and technical people that EP is doing the right thing, at the right time, within the constraints of the means available.

Enterprise Date

Ontario Pension Board LogoOntario Pension Board September 2007

How Used?

OPB uses COBIT for continual improvement of IT value and control. The self-evaluation process enabled development of a service catalogue and better alignment with OPB’s outsource service provider.

Why COBIT?

  • Provide better and more personalized service
  • A comprehensive framework for IT governance that helps close gaps, optimize IT investments, ensure effective service delivery and provide measures

Enterprise Date

Region of Peel LogoRegion of Peel August 2007

How Used?

Due to the financial significance of IT investment, length of time since the last review and the rate of change in IT, the Region’s CIO and director of Internal Audit agreed that an assessment be conducted using COBIT.

Why COBIT?

  • Represents consensus of global experts
  • Strongly focused on control, and less on execution
  • Peel Region’s experience with COBIT exceeded expectations

Enterprise Date

Bahrain Civil Service Bureau February 2007

How Used?

After analysing existing internal controls using the COBIT framework, a maturity model matrix was prepared and COBIT controls were applied to eliminate weak points.

Why COBIT?

  • COBIT is the most comprehensive, globally respected framework.
  • It can be customised for each organization.
  • It is an effective framework for implementing and improving IT governance.

Healthcare/Related

Enterprise Date

GlaxoSmithKlineGlaxoSmithKline January 2014

How Used?

Like most innovation-led organisations, GlaxoSmithKline (GSK) is highly dependent on IT. Its large, centralised IT support group has used COBIT 4.1 as the basis for developing an organisational IT governance framework. GSK is beginning its transition to COBIT 5.

Why COBIT?

  • One of GSK’s strategic priorities is to simplify its operating model by reducing complexity and thereby becoming more efficient. This will free up resources to invest in other, more productive, areas of the business. One of the outcomes of this strategy is a more centralised IT organisation, offering standard IT support services to all business areas.

Enterprise Date

SunnybrookSunnybrook Health Sciences Centre April 2013

How Used?

Whether at the management or board level, IT governance is fundamentally concerned with two primary outcomes: IT value delivery and the mitigation of IT-related risk. These are enabled by ensuring the strategic alignment of IT services with Sunnybrook’s business goals, the availability and management of appropriate IT resources, and the measurement and management of IT process performance. The resulting IT governance program is focused on the application of five governance areas that are common to all enterprise governance frameworks and are applied to Sunnybrook’s IT management.

Why COBIT?

  • Need for increased focus on technical and process risk management within the IT management team following several years of increasing operations, project incidents and disruptions
  • COBIT 4.1, Risk IT and Val IT combine to provide an overall IT governance program that is fully complementary with existing best practices for IT service delivery and provides both managerial and board-level visibility and control over the performance of Sunnybrook’s IT strategic programs.

Enterprise Date

NHS FifeNHS Fife (National Health Service), UK October 2012

How Used?

NHS Fife began working with COBIT in 2007, led by the need to ensure that its e-health services were aligned with NHS’s national and local strategies, along with internal pressures to improve security, audit outcomes and compliance with recognized standards. NHS Fife supported the implementation of COBIT with the Meycor COBIT Suite, which was particularly helpful for establishing a baseline, developing improvement plans, selecting metrics and tracking the improvement cycles designed for each targeted process.

Why COBIT?

  • COBIT provided a vision for a continual improvement process.
  • COBIT established a continual improvement model that was sustainable and demonstrated results.
  • COBIT assisted the organization to establish a mature process and align IT with the organization’s strategy.
  • COBIT proved useful in reducing risk and improving security.
  • COBIT helped in improving internal and external audit outcomes.

Enterprise Date

Hospital in Japan April 2012

How Used?

After the successful implementation of a hospital information system (HIS), based on the COBIT approach. The organization continued to utilize COBIT as the overall guidance to distinguish clinical and IT risk management subjects/objectives; define appropriate system requirements, new business processes and performance indices; and establish appropriate new business and IT management/control processes.

Why COBIT?

  • COBIT helped to establish appropriate, well-organized, effective and efficient IT-related risk management.
  • COBIT assisted the organization with risk management resources to implement processes and improve the lines of communication.
  • COBIT helped in the definition of the elements and controls of IT alignment, and the maintenance and monitoring of risk action plans.
  • COBIT proved useful in the definition of indices for risk management status analysis, measurement and monitoring.

Enterprise Date

Hospital in Japan January 2012

How Used?

A hospital information system (HIS), based on the COBIT approach, was successfully completed and appropriate controls were implemented. COBIT provided a track from generic business goals to IT goals to IT processes. This resulted in a set of metric indicators with which to monitor and evaluate IT performance. The organization was able to define an IT strategy as well as improve its risk and value management.

Why COBIT?

  • COBIT was widely accepted guidance and enabled risk management to facilitate implementation of a total HIS.
  • COBIT helped in the standardization of processes and unification of records.
  • COBIT provided controls and principles to improve communication across the organization.
  • COBIT created a sound risk management environment.

Enterprise Date

Erickson LogoErickson Retirement Communities June 2009

How Used?

To achieve secure information management, resilient processes, risk management and adaptive processes using COBIT as the controls framework.

Why COBIT?

  • Bridges the gap among control requirements, technical issues and business risk.
  • Is a tremendous asset to the IT Governance and Process Excellence Program.

Manufacturing/Transportation

Enterprise Date

Solo Cup LogoSolo CupJanuary 2011

How Used?

Solo Cup used COBIT effectively to develop a comprehensive set of IT policies. COBIT helped reduce the time needed to complete the initiative.

Why COBIT?

  • COBIT offers a proven and effective set of guidelines.
  • COBIT content is the appropriate depth and breadth to ensure that major IT policy control areas meet control objectives.

Enterprise Date

Harley-Davidson, USASeptember 2006

How Used?

COBIT helped meet the challenge of getting management, IT and audit speaking the same language and working toward increased control.

Why COBIT?

  • An internationally accepted standard for IT governance and control
  • Benchmarked controls compliance
  • Harmonized with leading guidance

Enterprise Date

Tembec, Canada May 2006

How Used?

Implemented COBIT to increase governance, strategically align IT and the business and standardize processes.

Why COBIT?

  • Improve vendor-neutral framework
  • Developed by a world-class organization