CobiT offers no instant panacea for IT governance, and organizations can't expect to implement an effective framework overnight. But while Information Systems Audit and Control Association (ISACA) International Vice President Howard Nicholson acknowledges CobiT is certainly not "plug and play", he says it will certainly enable organizations to achieve better alignment of IT and business objectives.
Nicholson says the recently updated CobiT framework and the institute's new IT investment framework, Val IT, will herald development of management information on IT operations that is accessible to senior management. It will ensure the allocation of responsibility and accountability to the most appropriate organizational players. It will provide a shared understanding amongst all stakeholders, based on a common language. And it will also enable the organization to demonstrate to third parties and regulators that it has a clear understanding of the role of IT in achieving business outcomes and is managing IT to maximize those outcomes.
Nicholson, who is also vice president of ISACA's research affiliate, the IT Governance Institute, was speaking ahead of ISACA's International Conference in Adelaide next week.
"CobiT requires a commitment on the part of organizational management at the most senior level, not just IT management. It will also take time and effort to understand the business and IT architecture and to identify those components of CobiT that are applicable to the organization and then tailoring them as needed," he says.
The ITGI has made the CobiT and Val IT frameworks available free of charge in .pdf format to enable better understanding of IT governance and to help organizations to maximize the benefits they derive from their investments in IT. The relevant documentation and a range of other IT Governance documentation, is available on the ITGI web site at www.itgi.org .
Gartner published a research note on CobiT 4.0 late last year, including an analysis of the key changes introduced In COBIT 4.0, strengths and weaknesses of the release, the implications for enterprises and their opinion of what auditors will do following the release.
It found COBIT 4.0 a significant improvement on the third release, "making it more relevant, filling some gaps and adding clarity. Most importantly, it better aligns with good and best practices In the management of IT and so Increases the possibility that Its use will result In a better-managed IT environment and, specifically, improve risk management," Gartner said. It recommended enterprises use it to challenge their established IT governance procedures and to improve the controls they have in place.
Yet when asked about the importance of IT in supporting strategic objectives, Nicholson says most public and private organizations would say very high, if not critical. However the same question relating to IT governance typically earns a different response. A 2005 IT Governance Institute (ITGI) global survey indicates an alarming number of organizations who do not have any form of IT governance framework within their organization. More than half of the 623 respondents to the survey had no formal framework.
This matters because while 87 percent of respondents said IT was a critical component of their organization, less than half were doing anything about ensuring that their IT investment was managed to maximize its benefit to the organization.
"CobiT and its super-set, VaI IT, have a focus on the delivery of business objectives. CobiT makes a clear link between business goals and IT goals. It provides metrics and maturity models to measure achievement and identifies the associated responsibilities of business and IT process owners. CobiT presents a process model which sub-divides IT into 34 recognizable processes aligned with the overarching responsibilities for planning and organizing; acquiring and implementing; delivery and support; and monitoring and evaluation," Nicholson says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.