COBIT 5 Architecture

     As illustrated in Exhibit 5.2, these needs flow through what COBIT calls enablers, a series of separate but interconnected processes discussed later in this chapter. The purpose of these enablers is—as the name suggests—to implement and perform governance and management systems processes for enterprise IT. Enablers are broadly defined as specific processes, mechanisms, or anything that can help to achieve the enterprise governance objectives. This includes resources, such as information and people.

     The COBIT 5.0 framework defines seven categories of enablers:
1. Processes
2. Principles and policies
3. Organizational structures
4. Skills and competences
5. Culture and behavior
6. Service capabilities
7. Information

COBIT 5 Simplified General Architecture

      COBIT is a set guidance materials that supports major elements of IT governance guidance, incorporating many concepts and topics in enterprise governance and management techniques. Enterprises of all sizes around the world have implemented COBIT in its previous 4.1 version. The new COBIT version 5.0 introduces enhancements to reduce IT-related risks and increase confidence in the information provided by IT, to enable clear policy development and good practice for IT management, and to increase the value attained from IT and manage compliance.

COBIT PRINCIPLE 2: STAKEHOLDER VALUE DRIVERS

     The business focus of COBIT is achieved through identifying all stakeholders and their needs and determining how they link to governance and management decisions and activities. Perhaps it is best to think of these IT process and operations stakeholders in two groups: internal and external.

     IT operations and processes are very pervasive, and COBIT’s identified internal stakeholders include members of the board of directors, the CEO, chief financial officer (CFO), chief information officer (CIO), business executives, business process owners, business managers, risk managers, security managers, service managers, human resources (HR) managers, internal auditors IT users, IT operations managers, and many others.

Stakeholder Needs

    Stakeholder needs are influenced by a number of drivers, including strategy changes, a changing business and regulatory environment, and the evolution of technology. These stakeholder needs materialize in a series of potential expectations, concerns, or requirements; all of these issues relate to one or more of COBIT’s three generic governance objectives: benefits realization, risk balancing, and cost optimization.

     Enterprises exist to create value for their stakeholders, so the governance objective for any enterprise—commercial or not—is value creation, realizing benefits at an optimal resource cost while optimizing risk.  Enterprises have many internal and external stakeholders, and “creating value” means different—and sometimes conflicting— things to each of them. 

     Governance is about negotiating and deciding solutions among different stakeholders’ value interests. In consequence, an IT governance system must consider all of these stakeholders when making benefit, resource, and risk assessments and decisions. For each of these value creation components, the question can and should be asked: For whom are the benefits and risks, and which IT resources are required?

COBIT PRINCIPLE 3: FOCUS ON BUSINESS CONTEXT

     COBIT framework provides a strong set of guidance materials to help an enterprise improve its IT governance processes, and a core principle of COBIT is its focus on a business context. COBIT’s third key principle emphasizes that business enterprises exist to create value for their stakeholders.

     There are three COBIT-defined governance value objectives here: 

1. Benefits realization 

2. Risk optimization 

3. Resource optimization

Governance Objectives Mapped To Enterprise Goals

      COBIT links each of these three objectives to financial, customerrelated, and enterprise-internal enterprise goals. COBIT also defines a set of enterprise financial goals, separated in terms of financial, customer, internal, and learning and growth enterprise goal categories. Exhibit 5.4 shows a summary of these COBIT governance objectives goals mapped to enterprise financial goals in terms of where there is a primary or secondary relationship to the COBITdefined governance value objective.

COBIT and the IT Governance Institute

COBIT and the IT Governance Institute
     A more IT-oriented internal control assessment and guidance framework, called COBIT (Control Objectives for Information and related Technology), has actually been in place long before SOx, with COBIT first released in 1996. The COBIT framework was initially developed for the internal and external auditors who reviewed computer systems and technology controls (often called IT auditors), but COBIT also has become a preferred tool in many enterprises for complying with SOxSection 404 internal control procedures and related IT governance support. COBIT provides guidance for evaluating and understanding internal controls, with an emphasis on enterprise IT resources.

      COBIT today has evolved into a helpful tool for assessing IT governance and evaluating all internal controls across an enterprise. It provides emphasis and guidance on the linkage of IT with other business resources to deliver overall values to an enterprise today. It is an important tool to help the senior enterprise executive establish effective IT governance practices.

AN EXECUTIVE’S INTRODUCTION TO COBIT
     COBIT is an IT governance internal control framework that is an important support tool for documenting and understanding COSO internal controls and SOxrequirements, and for recognizing the value of and risks associated with IT assets in an enterprise. The COBIT standards and framework are issued and regularly updated by the IT Governance Institute (ITGI),1 and the closely affiliated professional organization, the Information Systems Audit and Control Association (ISACA).

     ISACA is more focused on IT auditing, while ITGI’s emphasis is on research and governance processes. ISACA also manages the Certified IT Auditor (CISA) examination and professional designation as well as other certifications such as the Certified Information Systems Manager (CISM) and the Certified in the Governance of Enterprise IT (CGEIT) designation certificationand examination.

     The Certified Information Security Manager (CISM) certification targets IT security managers and promotes the advancement of professionals who wish to be recognized for their IT governance– related experience and knowledge. COBIT now in its 2011 evolved in version 5.0 edition. This new edition of the framework was not officially released at the time of our publication, but our comments are based on the final draft releases of this version and the assumption that it will soon become official. With virtually all enterprise processes today tied to IT-related facilities, an understanding of the overall area of IT governance is critical.

      The COBIT framework consists of what are called five principles, broad and interconnected areas of governance and internal controls, as illustrated in Exhibit 5.1. COBIT’s principles are five major areas of emphasis arranged around the important core concept of IT governance:
• COBIT Principle 1 : An Integrated of IT Framework
• COBIT Principle 2 : Stakeholder Value Drivers
• COBIT Principle 3 : Resources Focus on A Business Context
• COBIT Principle 4 : Risk Management
• COBIT Principle 5 : Performance Measurement

COBIT IT Governance Principles

     These five COBIT principles or areas of emphasis define the COBIT framework’s elements and provide a definition for the key elements of IT governance. The COBIT framework is an effective tool for documenting IT and all other internal controls. The COBIT framework is an effective mechanism for documenting and understanding internal controls and managing IT governance processes at all levels. Although COBIT first started primarily as a set of “IT audit” guidance materials, it is a much more powerful tool today.

THE COBIT FRAMEWORK AND ITS DRIVERS
      An enterprise executive might ask, “I think I understand some of the key SOxrules and my enterprise uses COSO internal controls; why should I be concerned about this thing called COBIT, yet another framework?”
 Our answer here is that COBIT provides an alternative and sometimes preferable approach to both define and describe processes that have more of an IT governance emphasis than the pure COSO internal control framework.

     Information and supporting IT processes often are the most valuable assets for virtually all enterprises today, and management has a major responsibility to safeguard its supporting IT assets, including automated systems. An enterprise executive today needs to understand these information-related processes and the controls that support them. This combination is concerned about the effectiveness and efficiency of their IT resources, processes, and overall business requirements.

     The COBIT framework recognizes that information should be considered a key resource for all enterprises, and throughout the whole life cycle of information there is a huge dependency on technology. IT and its related technologies are pervasive in enterprises and they need to be governed and managed in a holistic manner, taking in the full end-to-end business and IT functional areas of responsibility.

     Through the effective implementation of COBIT framework guidance, an enterprise should achieve increased:
• Value creation through enterprise IT.
• Business user satisfaction with IT engagement and services.
• Compliance with relevant laws, regulations, and policies.

COBIT PRINCIPLE 1: ESTABLISH AN INTEGRATED IT ARCHITECTURE FRAMEWORK

      Architecture describes how we build or the style of our office headquarters, but today it also often refers to an enterprise’s IT architecture technology selections. For example, when IT functions moved away from the centralized legacy mainframe computer systems, now many years ago, to networks of smaller server systems, an enterprise IT function would state that it had adopted or implemented “client–server architecture.” 

      Systems architecture is a term IT functions use to refer to the major hardware or software configurations of their IT resources. COBIT has its own architecture; however, a copy of the current published COBIT 5.0 architecture may scare off non-IT specialists because of the diagram’s complexity in its current draft form. Exhibit 5.2 is a simplified diagram of COBIT’s version 5.0 architecture components.

Communications and Information

     As part of any evaluation of internal controls, there is a need to understand these information and communication flows or processes in the enterprise.

     An enterprise needs information at all levels to achieve its operational, financial, and compliance objectives. For example, the enterprise needs information to prepare financial reports that are communicated to outside investors, as well as internal cost and external market preference information to make correct marketing decisions. Thisinformation must flow from the top levels of the enterprise on down to lower levels as well as information from the lower levels flowing back to upper levels. COSO internal controls also emphasize the importance of keeping information and supporting systems consistent with overall enterprise needs.

Monitoring
     The pyramid view of COSO internal controls in Exhibit 4.2 shows the monitoring component as the capstone, upper level of the COSO internal control components. While internal control systems will work effectively with proper support from management, control procedures, and both information and communication linkages, processes must be in place to monitor these activities. Monitoring has long been the role of IT and other internal auditors, who perform reviews to assess compliance with established procedures; however, COSO internal controls now take a broader view of monitoring as well and recognize that control procedures and other systems change over time.

      COSO gives examples of this important component of internal control:
• Operating management normal functions
• Communications form external parties
• Enterprise structure and supervisory activities
• Physical inventories and asset reconciliation

INTERNAL CONTROL EVALUATION PROCESS
      The COSO internal control guidance materials outline an evaluation process for reviewing internal controls. Such an evaluator should first develop an understanding of the system design, next test key controls, and then develop conclusions based on the test results.

     COSO internal controls also mentions benchmarking, as an alternative approach. Benchmarking is the process of comparing an enterprise’s processes and control procedures with those of peer enterprises.

      COSO internal controls recognize that many highly effective procedures are informal and undocumented. Many of these undocumented controls, however, can be tested and evaluated in the same manner as documented ones. While an appropriate level of documentation makes any evaluation of internal control more efficient and facilitates employees’ understanding of how the process works, that documentation is not always essential.

REPORTING INTERNAL CONTROL DEFICIENCIES

     Whether internal control deficiencies are identified through processes in the internal control system itself, through monitoring activities, or other external events, they should be reported to appropriate levels of enterprise management. The key question for any internal controls evaluator is to determine what should be reported given the large body of details that may be encountered, and to whom the reports should be directed. COSO internal controls state that “all internal control deficiencies that can affect the entity’s attaining its objectives should be reported to those who can take necessary action.”

Other Dimensions of the COSO Internal Control Framework

 COSO internal control framework is a three dimensional model, as shown in Exhibit 4.1. 

1. Effectiveness and efficiency of operations. 

2. Reliability of financial reporting. 

3. Compliance with applicable laws and regulations

COSO INTERNAL CONTROL SYSTEMS MONITORING GUIDANCE 

     This guidance on monitoring internal systems suggests that enterprises implement internal control monitoring processes similar to the manner in which a manufacturing organization monitors the continued effectiveness and efficiency of its manufacturing procedures. 

     

     The materials suggest that enterprises establish a four-phase monitoring process as shown in Exhibit 4.3. This four-stage approach says that the enterprise should first prioritize and understand the risks to its organizational objectives, and then identify the controls that address those prioritized risks. The third step is the identification of information that will persuasively indicate that the internal control system is operating effectively. 

     The suggested model calls for implementing cost-effective procedures to evaluate the information gathered through monitoring processes.

COSO Monitoring Design and Implementation Process

Control Environment, Risk Assessment & Control Activities (COSO)

   Control Environment
      The foundation or bottom level of the COSO internal control framework is what COSO calls the internal control environment. The control environment should be viewed as a foundation for all other components of internal control, and has an influence on each of the three objectives and overall unit and entity activities. The control environment reflects the overall attitude, awareness, and actions by the board of directors, management, and others concerning the importance of internal controls in the enterprise. Senior managers should always try to manage and understand this overall control environment in their organizations.

     The essential components of the control environment:
• INTEGRITY AND ETHICAL VALUES
• COMMITMENT TO COMPETENCE
• BOARD OF DIRECTORS AND AUDIT COMMITTEE
• MANAGEMENT’S PHILOSOPHY AND OPERATING STYLE
• ORGANIZATIONAL STRUCTURE
• ASSIGNMENT OF AUTHORITY AND RESPONSIBILITY
• HUMAN RESOURCES POLICIES AND PRACTICES
• SUMMARY

Risk Assessment

      The next level or layer above the control environment on the COSO internal control framework is risk assessment. An enterprise’s ability to achieve its objectives can be at risk due to a variety of internal and external factors. An understanding and management of the risk environment is a basic element of the internal control foundation, and an enterprise should have a process in place to evaluate the potential risks that may impact attainment of its various objectives. This risk assessment component has its focus on internal controls within an enterprise and has a much narrower focus than the COSO ERM enterprise risk management framework and IT governance risk management issues.

     COSO internal control risk assessment should be a forwardlooking process that is performed at all levels and for virtually all activities within the enterprise. 

The COSO internal controls framework describes risk assessment as a three-step process: 

1. Estimate the significance of the risk. 

2. Assess the likelihood or frequency of the risk occurring. 

3. Consider how the risk should be managed and assess what actions must be taken.

     This COSO risk assessment process places the responsibility on management to assess whether a risk is significant and, if so, to take appropriate actions. COSO internal controls also emphasize that risk analysis is not a theoretical process but often can be critical to an entity’s overall success. As part of its overall assessment of internal control, management should take steps to assess the risks that may impact the overall enterprise as well as the risks over various enterprise activities or entities. A variety of risks, caused by either internal or external sources, may affect the overall enterprise. 

     The risk assessment element of COSO internal controls is an area where there has been much misunderstanding and confusion because of the similarly named COSO ERM framework. The risk assessment component of the COSO internal control framework includes risk assessments for within an individual enterprise. The COSO ERM framework covers the entire entity and beyond. These are really two separate issues; one is not a replacement for the other

Control Activities

     The next layer up in the COSO internal control framework is called control activities. These are the processes and procedures that help ensure that actions identified to address risks are carried out. Control activities exist at all levels, and in many cases may overlap one another. They are essential elements to building and then establishing effective internal controls in an enterprise.

     The COSO internal control framework identifies a series of these activities that are generally classified as manual, IT, or management controls, and they are also described in terms of whether they are preventive, corrective, or detective control activities.

     While no one set of internal control definitions is correct for all situations, COSO internal controls recommend the following control activities for an enterprise: 

• Top-level reviews 

• Direct functional or activity management 

• Information processing 

• Physical controls 

• Performance indicators 

• Segregation of duties 

     These control activities represent only a small number of the many performed in the normal course of business operations but involve policies establishing what should be done and procedures to implement them. Even though control activities may sometimes be communicated orally, they should be implemented thoughtfully, conscientiously, and consistently. This is a strong message for reviewing such internal control activities.

     Control activities should not be installed just because they seem to be the “right thing to do” even if there are no significant risks in the area where the control activity would be installed. Sometimes there may be control activities in place that perhaps once served some control-risk concern, although the concerns havelargely gone away. A control activity should not be discarded because there has been no recent history of control violations, but management needs periodically to reevaluate the associated relative risks. All internal control activities should contribute to the overall control structure, and IT auditors should keep this concept in mind as they review internal controls and make recommendations.

Frameworks To Support Effective IT Governance

IT Governance and COSO Internal Controls
The need for strong and effective internal controls is a key element of enterprise IT governance. A good general definition for IT governance is that internal control is a process, effected by an entity’s board of directors, management, and other personnel, and designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of operations, the reliability of an enterprise’s financial reporting, and an enterprise’s IT systems and processes, all in compliance with laws and regulations.

      Enterprise managers are responsible for implementing and managing internal control processes, while their auditors act as independent parties to both review and perform tests of these internal controls as well as to report to management and other parties whether they are adequate.

     An understanding and use of the COSO internal control framework is important for establishing effective IT governance processes. While these rules and procedures have origins in financial reporting and auditing, in today’s IT-centric world, COSO internal controls are important IT governance tools. These are rules that enterprises need to follow in order to assert or attest to regulators that their organizations have effective internal controls in place and that they are operating in compliance with those newer rules.

IMPORTANCE OF EFFECTIVE INTERNAL CONTROLS AND COSO

     Internal controls are one of the most important and fundamental concepts that senior managers and business professionals at all levels must understand. The business professional builds and uses internal controls, while auditors review and test the operational, IT, and financial systems and processes with an objective of evaluating their internal controls. 

An enterprise unit or process has good internal controls if it: 

(1) accomplishes its stated mission in an ethical manner, 

(2) produces accurate and reliable data, 

(3) complies with applicable laws and enterprise policies, 

(4) provides for the economical and efficient uses of its resources, 

(5) provides for appropriate safeguarding of assets.

     All members of an enterprise are responsible for the internal controls in their area of operation and for operating them effectively. From an internal control perspective, an enterprise can be compared to our automobile example. There are many enterprise systems and processes at work, such as accounting operations, sales processes, and IT systems. If management does not operate or direct these processes properly, the enterprise may operate out of control. All members of an enterprise should develop an understanding of the appropriate control systems and then determine if they are properly connected to manage the enterprise. These are referred to as the enterprise’s internal control systems.

COSO Internal Control Framework 

     COSO refers to the five professional auditing and accounting organizations that formed a committee to develop this internal control report; its official title is Integrated Control—Integrated Framework. COSO internal control framework and its use as an IT governance tool for internal controls assessments and evaluations. 

     COSO provides an excellent description of this multidimensional concept of internal controls, defining internal control as follows: 

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: 

• Effectiveness and efficiency of operations 

• Reliability of financial reporting 

• Compliance with applicable laws and regulations

 COSO uses a three dimensional model or framework to describe an internal control system in an enterprise. 

Exhibit 4.1 shows this COSO internal control framework as a three-dimensional model with five levels on the front-facing side and the three major components of internal control— effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations— taking somewhat equal segments of the model with slices across its top. The right-hand side of Exhibit 4.1 shows three segments, but there could be multiples of these depending on the structure of the enterprise.

      The point of the COSO internal control framework is that we should always consider each identified internal control in terms of how it relates to other associated internal control elements in the three-dimensional framework.

IMPORTANCE OF GRC GOVERNANCE

    IMPORTANCE OF GRC GOVERNANCE 
     The three GRC principles that support IT governance should be thought of in terms of one continuous and interconnecting flow of concepts, with neither G, nor R, nor C any more important than the others. Corporate or enterprise governance is a term that refers broadly to the rules, processes, or laws by which businesses are operated, regulated, and controlled. The term can refer to internal factors defined by the officers, stockholders, or constitution of a corporation, as well as to external forces such as consumer groups, clients, and government regulations.

     Exhibit 3.2 shows enterprise governance concepts with an executive group in the center and their interlocking and related responsibilities for establishing controls, a strategic framework, performance, and accountability. The exhibit shows some of the key concepts within each of these responsibility areas. For example, for the strategic framework, there are the elements of corporate planning and business activities, risk management, business continuity, IT and network, and internal audit.

RISK MANAGEMENT COMPONENT OF GRC

     A strong set of enterprise-wide GRC principles and components is necessary, and an effective risk management program is a key component of enterprise GRC principles. 

     There are four interconnected steps in effective enterprise risk management GRC processes, as shown in Exhibit 3.3 and as follows:

1. Risk assessment and planning 

2. Risk identification and analysis 

3. Exploiting and developing risk response strategies 

4. Risk monitoring

    Risk management should create value and be an integral part of organizational processes. It should be part of the decision-making processes and be tailored in a systematic and structured manner to explicitly address the uncertainties an enterprise faces based on the best available information. In addition, risk management processes should be dynamic, iterative, and responsive to change with the capabilities of continual improvements and enhancements.

GRC AND ENTERPRISE COMPLIANCE

     Compliance is the process of adhering to the guidelines or rules established by government agencies, standards groups, or internal corporate policies. 

     Adhering to these compliance-related requirements is a challenge for an enterprise and its related stakeholders because: 

• New regulations are frequently introduced 

• Vaguely written regulations often require interpretation 

• There is no consensus on best practices for compliance 

• Multiple regulations often overlap 

• Regulations are constantly changing

     Exhibit 3.4 illustrates some issues an enterprise should consider as it attempts to establish its scope and approach to GRC compliance.

     A consistent approach on the use of compliance-driven capabilities and supporting technologies across an enterprise can provide an enterprise with these potential benefits:
• Flexibility
• Reduced total cost of compliance ownership
• Competitive advantage

     Effective GRC compliance processes help an enterprise to transform its business operations and gain deeper insight and predictability from its business information as it addresses regulatory-driven requirements. Key business drivers here may include the ability to better manage information assets, demonstrate compliance with regulatory and legal obligations, reduce the risk of litigation, reduce cost of storage and discovery, and demonstrate corporate accountability.

IMPORTANCE OF EFFECTIVE GRC PRACTICES AND PRINCIPLES
     An enterprise needs to adopt strong governance, risk, and compliance processes, with the objective of establishing an effective GRC program. Strong IT governance programs are very important to an enterprise, they should be supported by GRC programs of governance, risk management, and overall compliance as well. An enterprise should focus many of its activities strongly on these GRC principles.

Enterprise Governance and GRC Tools

THE ROAD TO EFFECTIVE GRC PRINCIPLES

•  All business, and publicly traded corporations in particular have faced governance needs and requirements issues.
• An enterprise always faces risks that it will misinterpret rules or be found in violation of one or another of these multiple laws and regulations.
 • There are also risks that an enterprise’s own established governance rules will not achieve the desired results or that the enterprise may face some outside event beyond its control, such as a significanteconomic downturn, a terrorist attack or act of war that impacts its sphere of operations, or a fire in a major facility.
• There is a need to understand and manage all of these risks on an overall enterprise level.
• Enterprises have always been concerned with various governance, risk, and compliance issues,

     Business professionals had not even heard about this now increasingly familiar GRC acronym until early in this century. The first letter stands for governance, not just for IT governance but for concerns over the entire enterprise. In short, governance means taking care of business, making sure things are done according to an enterprise’s standards, regulations, board of directors’ decisions, as well as governmental laws and rules. It also means setting forth clearly the stakeholder expectations of what should be done so that all stakeholders are on the same page with regard to how the enterprise is run.

     The R from GRC is risk. Everything we do and all aspects of business operations involve some element of risk. When it comes to an individual running across a freeway or a child playing with matches, it’s pretty clear that certain risks should just not be taken. When it comes to business, however, risk factors become a way to both help protect existing asset values and create value by strategically expanding an enterprise or adding new products and services.

     The C in GRC is compliance with the many laws and directives affecting businesses and citizens today. Sometimes people will also extend that letter to include controls, meaning that it is important to put certain controls in place to ensure that compliance is happening.  GRC is an increasingly recognized term that reflects a new way in which enterprises today are adopting an integrated approach to these aspects of their business. It is important to remember these core disciplines of governance, risk management, and compliance. Each of the disciplines consists of the four basic GRC components: strategy, processes, technology, and people.

Exhibit 3.1 illustrates these GRC concepts. Governance, risk management, and compliance principles should be tightly bound to tie these principles together. The diagram also shows that internal policies are the key factors supporting governance, that external regulations drive compliance principles, and that what we call an enterprise’s risk appetite is a key element of risk management.

     Risk appetite is a relatively new term for many business and IT professionals. It refers to the amount and type of risk that an organization is prepared to pursue, retain, or take. For example, an investor who speculates in what are often called very risky “penny stocks” has a high appetite for risk, while an investor holding generally safe money market funds has a low appetite for risk. This same analogy can be translated to many enterprise business decisions. 

     The triangle diagram in Exhibit 3.1 also shows the components of strategy, effective processes, technologies (including IT), and the people in the enterprise to make all of this work. Off to the left side, the exhibit shows that an enterprise requires management attention and support, and that correct ethical behavior, organizational efficiency, and improved effectiveness are key.