Brazilian private, government and public organizations have been familiar with the COBIT framework since its inception in the 1990s. However, the acceptance and use of the model reached a wider audience with COBIT 4.1, which was released in 2007. And, with the launch of COBIT 5 in 2012, a new opportunity was posed to managers and auditors with a profound and complete model for IT management and governance.
Throughout Brazil, in private, public and government organizations, COBIT has gained acceptance as a de facto standard for good practices. Some remarkable efforts driving the use and acceptance of the framework include surveys, reports and audit initiatives from the Tribunal de Contas da União (TCU), the Brazilian high court for accountancy matters, and the ever-growing number of capacitation courses and certifications attained by professionals and public servants in the different areas related to IT.
The organization discussed in this case study is a government direct administration institution with more than 3,400 public clerks and 12,000-plus supporting individuals to support its core activities. With a network of more than 8,000 workstations and a huge and complex infrastructure, the use of a framework such as COBIT presented itself as a means to the end of planning, managing, supporting and updating IT solutions to internal users. At the same time, it is applied to provide quality services for millions of external users, nationally and worldwide.
Beginning with COBIT 4.1 in the late 2000s, the organization defined some core competencies and IT processes that needed addressing in order to establish a sound foundation for the provision of adequate services. In addition, the organization’s IT audit function, established in 2010, adopted COBIT 4.1 as the guiding model for its activities, associating COBIT processes with a risk matrix to select and prioritize IT processes for auditing purposes.
With a network of more than 8,000 workstations and a huge and complex infrastructure, the use of a framework such as COBIT presented itself as a means to the end of planning, managing, supporting and updating IT solutions to internal users.
The first IT processes to be analyzed in this scenario involved Deliver and Support DS2 Manage third-party services, since the organization has a huge contract to support its IT activities; Acquire and Implement AI7 Install and accredit solutions and changes, since this was appointed, both by management and business areas, as a core competence the IT department should hold; PO4 Define the IT processes, organization and relationships, especially regarding the IT committees; and PO9 Assess and manage IT risks, among others. The levels of maturity of these processes were found to be in different stages, ranging from initial to defined, and they are evolving consistently over time.
Migrating From COBIT 4.1 to COBIT 5
The comprehensive nature of COBIT 5, which combines several areas, including IT risk, information security and governance, is one of its major benefits. In addition, the enablers concept presents a unique view of how and where to pose some questions when adopting and enhancing the framework.
To facilitate the transition, the audit function presented to the management staff a simplified model, listing the COBIT 5 processes and asking for the perceived degree of relevance and corporate knowledge of each process. These answers were compared with the maturity observed through audit and internal control actions, making it possible to devise a matrix of priorities for the processes to be analyzed in subsequent audits, which strengthened the support for management decisions through the adoption of the framework
Presenting the Model and Obtaining Senior Management Support
The COBIT 5 launch in 2012 presented a natural progression and paved the way for a new review of the existing arrangements. The audit function incorporated the model’s vision of a comprehensive framework, seeing the opportunity to tackle new levels of activities. IT governance, information security, risk management, professional profiles and so on are examples of branches and areas of partnership between management and auditing activities.
Once the organization’s IT management saw the convenience of COBIT 5 as support for its daily functions, the audit function suggested an initial plan to the organization’s IT Strategic Committee and recommended COBIT 5 as the basis for IT auditing and internal control actuation. It became clear that the results from this practice would be beneficial for both management’s and audit’s objectives.
Some of the goals attained by using the COBIT 5 framework include:
- The organization has a common language for IT governance and management activities
- The organization can compare itself with others1
- The organization can plan, manage, provide and maintain IT solutions in accordance with globally recognized best practices2
- The organization can better prepare itself for the introduction of new technologies and solutions, including the introduction of new management models such as a risk-based culture
Applying the Model and Achieving the Goals
While the IT governance and management model (COBIT 5) is new in the organization (the IT strategic and directive committees were created in 2013), some results are already observed:
- Better relations between internal IT providers and users
- Internal service level agreements (SLAs), stating quality and schedules, among other things, for IT solutions are established
- The institutional perception of IT is better than before the aforementioned initiatives
- IT management can prioritize and focus IT resources in core business areas, allowing for adequate outsourcing of supporting solutions
Some of the COBIT 5 processes already covered by the IT audit function in the last 2 years include: Evaluate, Direct and Monitor process EDM03 Ensure risk optimization; Align, Plan and Organize process APO12 Manage risk; Build, Acquire and Implement process BAI04 Manage availability and capacity; and Deliver, Service and Support processes DSS01 Manage operations, DSS04 Manage continuity and DSS05 Manage security services.
Concepts from the processes EDM03 and APO12, for example, were presented to top management by the audit function in order to stimulate the creation of a corporate culture that embraces risk management. Practices described in BAI04, DSS01, DSS04 and DSS05 were presented to the IT management function for the sake of comparison with actual practices delivered in the daily activities and to stimulate IT management to create indicators and goals.
From the auditor’s perspective, the separation between governance (EDM domain) and management (APO; BAI; DSS; and Monitor, Evaluate and Assess [MEA] domains) processes in COBIT 5 makes clear the activities expected from each function area. On one hand, the IT strategic committee has a clear and detailed map of functions to enforce and supervise, while, on the other hand, IT management has a thorough complement of activities to perform, not to mention other directives as per the Responsible, Accountable, Consulted and Informed (RACI) charts.
The main goal in each audit activity is to provide a reliable assessment of the corresponding process. Using the process practices described by the COBIT 5 framework as guidelines to compare with management-adopted practices is a clear and sound foundation. Clearly, it is not the purpose to implement each and every process practice as literally described, but to measure the proximity between the recommended and the adopted line of action, providing adjustments where applicable and always considering the organization’s particulars. Here users can see other results from the migration to COBIT 5: The framework acceptance is augmented because of the simplicity and objectivity of the concepts and controls.
To provide the required IT solutions, benefitting from BAI04, DSS01, DSS04 and DSS05, the organization found it necessary to implement a new structure for the IT department, which is now decentralizing some activities to provide better-tailored solutions. The improvement of these activities was made possible with the introduction of the governance and management framework, and it is presently spreading through different client areas.
The audit function, on the other hand, in addition to its normal activities, is recommending that its staff consider the certification program provided by ISACA (Certified Information Systems Auditor [CISA], Certified Information Security Manager [CISM], Certified in the Governance of Enterprise IT [CGEIT], and Certified in Risk and Information Systems Control [CRISC]), aiming to provide auditors with the required skills to support management in present and future decisions.
The Future of the IT Governance and Management Framework
One can see several advantages in adopting a COBIT 5. In addition to those already mentioned, there are many others presented, such as the decrease in redundant efforts and the optimization of the workforce capacity.
The coming years may see deepening adoption of COBIT 5 in the organization, as well as possible improvements. As more and better results are achieved, adherence and commitment to the framework increases. For the sake of suggestion, a thorough analysis could be performed annually, culminating in the formulation of a strategic plan past 2018, when clear success examples can be collected, measured and evaluated, providing a solid foundation for the adjustments and improvements which will come.
João Luiz Marciano, CISA, CGEIT, CRISC
Is an IT auditor and has worked as audit director of a Brazilian government organization since 2013. With more than 20 years of experience in IT and information science, Marciano has worked in information security, artificial intelligence and application development. His areas of interest also include corporate governance and risk management.
1 Besides internal efforts, TCU provides an IT governance index, collected as a survey and presented on a biannual basis.
2 In late 2014, the organization launched the Strategic Plan for IT, which extends through 2018.