Share on:

Using COBIT 5: Enabling Information to Perform an Information Quality Assessment

By Felipe da Silva Antonio, COBIT Foundation, CTFL, and Alessandro Manotti, CISA, CISM

COBIT Focus | 3 October 2016 Portuguese

Information is considered a main resource for any organization as the evolution of information technology in recent decades has reached almost all organizations. No matter their size—small, medium or large—organizations use computer systems to perform the most critical processes and provide them competitive advantage. Companies currently use the power of data analytics to decide where to open a branch, how to increase investments or when to launch a product in accordance with their target customers.

Today, data translated into information is considered an important asset for financial institutions. The financial industry has made large investments in data analytics technologies and applications in order to create information that supports strategic decision making, goal setting or other data-driven efforts. Application and technology initiatives that do not yield timely, accurate, quality data are worthless investments.

In planning for a financial crisis, the need for good IT governance becomes a main concern for many organizations. COBIT adds significant value primarily by providing a reference model for governance and management of enterprise IT. In preparing for periodic internal, external and regulatory audits, COBIT 5: Enabling Processes supports the enterprise assessment for several IT control activities and provides a basis for evaluating governance and management of IT processes. However, when it comes to assessment of the relevant controls for data and information, COBIT 5: Enabling Processes focuses on the Processes enabler, so ISACA developed specific COBIT guidance for the information enabler. COBIT 5: Enabling Information provides more targeted support for controls implementation focusing on data quality and relevance for information generated, transmitted and stored.

A data analytics audit related to a financial institution environment is designed to provide an opinion of information safety, data quality and relevance of information to support the strategic business context. Applying the guidance provided in COBIT 5: Enabling Information enables an evaluation of the relevance of the criteria for information quality (intrinsic, contextual and security) and its subdimensions, as shown in figure 1.

Figure 1—Information Goals/Quality Criteria Applied to Relevance of Information

Source: Adapted from ISACA, COBIT 5: Enabling Information, USA, 2012

Besides the traditional process approach to information security (confidentiality, integrity and availability), the COBIT 5: Enabling Information guide addresses other important information quality criteria more specific to the user's perception, as per a survey research method using the publication’s information goals/quality criteria subdimensions to capture important data about information quality user awareness. The survey is a “method for information gathering directly from people’s perspective about their ideas, feelings, consciousness, plans and beliefs, based on their social, educational and financial background.”1 Based on this method, the authors of this article developed a survey to capture user information quality awareness related to COBIT information quality criteria and applied it to all information stakeholders involved in a card-acquiring service.

An acquiring service is a registered member of the card associations (e.g., Visa, MasterCard). The service contracts with merchants to create and maintain accounts that allow the business to accept credit and debit cards (i.e., merchant accounts). The acquiring service provides merchants with equipment and software to accept cards, promotional materials, customer service and other necessary tools involved in card acceptance. The acquiring service bank also deposits funds from credit card sales into a merchant's account.

The first section of the survey questions was directed to a group of 15 middle management and executives from different areas and functions in an acquiring service to gain an understanding of the types of users and their information collection methods, by querying the participants on data environments and extraction tools used. In the second part of the survey, the questions were designed to obtain stakeholder perceptions regarding the quality of the subdimensions of information as described in the COBIT 5: Enabling Information criteria. It is difficult to focus on those aspects and come to a concise conclusion without understanding the users’ context. The questions were multiple choice with 3 possible responses (yes, no, sometimes). The main survey question was “In your opinion, the quality of information provided has been”:

  • Accurate and reliable
  • Coming from authentic and reliable sources
  • Applicable, useful and sufficiently updated to support routine tasks
  • Presented in a simple manner
  • Available in defined, clear units
  • Easily understood
  • Available when needed
  • Easy to handle and can apply to different tasks

After completion of the survey, the authors used a predefined metric that was translated into a result of adherent (compliant), partially adherent (partially compliant) and nonadherent (noncompliant). Results related to the participants’ evaluations of each of the subdimensions were used to generate a report highlighting the main strengths and weaknesses of the data used by the organization (figure 2).

Figure 2—Information Quality Goals Applied in the Survey

Source: F. da Silva Antonio and A. Manotti. Reprinted with permission.

The criteria used in this evaluation can serve as a starting point for further reviews of analytical data environments and to support improvements in each new evaluation focusing on critical data and information.

The survey tool developed using information quality criteria proposed by COBIT 5: Enabling Information was very useful in providing a more relevant data, information and behavior assessment of users’ awareness. It enabled a more detailed diagnosis on key information used by the organization and, consequently, added business value.

Felipe da Silva Antonio, COBIT Foundations, CTFL

Is an audit and information systems professional with more than 8 years of experience in systems audit and software development. He works in financial institutions and in national and multinational IT consulting firms. He can be contacted at

Alessandro Manotti, CISA, CISM

Is an audit and information security professional with 15 years of experience in systems audit and information security. He has worked in Brazil and elsewhere for financial institutions and Big 4 consultancies. He can be contacted at


1 Mello, C.; Métodos quantitativos: pesquisa, levantamento ou survey, Aula 09 da disciplina de metodologia de pesquisa na UNIFEI, 2013