CobiT 4.1 is a very popular framework which mission is: "To research, develop, publicise and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by organizations and day-to-day use by business managers, IT professionals and assurance professionals" (CobiT 4.1 2007). CobiT 4.1 does not intend to offer a recipe to solve a particular problem, but instead, it intends to offer an internationally accepted framework for IT governance control (Ibid.).
CobiT 4.1 framework:
CobiT 4.1 provides processes, metrics and controls to achieve business goals. CobiT 4.1 is business-focused which means that it follows business goals and that IT respond to the business strategy. For example, some goals state: "Respond to business requirements in alignment with the business strategy" or "Provide a good return on investment of IT-enabled business investments" (CobiT 4.1 2007). CobiT 4.1 is "process-oriented" (34 processes) and "measurement-driven" (it works with metrics). Processes need control and, therefore, CobiT 4.1 is also control-based: "Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process" (Ibid.). In figure 4, the main components of CobiT 4.1 can be appreciated.
Figure 1: CobiT 4.1 Framework (CobiT 4.1 2007)
Next, the focus areas for IT governance will be presented. ISACA promises to guarantee that IT is aligned with the business, that IT delivery business benefits, that IT resources are used correctly and in a disciplined way, and that IT risks are managed properly (Ibid.).
- "Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT proposition; and aligning IT operations with organization operations" (CobiT 4.1 2007).
- "Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT" (Ibid.).
- "Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues related to the optimization of knowledge and infrastructure" (Ibid.).
- "Risk management requires risk awareness by senior corporate officers, a clear understanding of the organization's appetite for risk, understanding of compliance requirements, transparency about the significant risks to the organization and embedding of risk management responsibilities into the organization" (Ibid.).
- "Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting" (Ibid.).
CobiT 4.1 is able to address different IT governance focus areas with individual CobiT processes (in total 34 generic processes). By putting all the focuses together, it is possible to obtain a holistic view of the IT governance processes and to embody a visual framework for maximizing benefits from information technology. For instance, each process addresses a certain focus of the IT governance which, in turn, is divided in primary and secondary perspectives. The five focus areas are graphically represented in the CobiT 4.1's diamond.
Figure 2: CobiT Diamond in the process AI5 Procure IT Resources
CobiT 4.1 defines IT activities in 34 processes within four domains: Plan and Organise (PO), Acquire and Implement (AI), Deliver and Support (DS) and Monitor and Evaluate (ME). In the text below, the typical questions corresponding the four domains are extracted from the CobiT 4.1Executive Summary are shown (CobiT 4.1 2007). The four domains are:
Plan and Organise
- Are IT and the business strategy aligned?
- Is the organization achieving optimum use of its resources?
- Does everyone in the organisation understand the IT objectives?
- Are IT risks understood and being managed?
- Is the quality of IT systems appropriate for business needs?
Acquire and Implement
- Are new projects likely to deliver solutions that meet business needs?
- Are new projects likely to be delivered on time and within budget?
- Will the new systems work properly when implemented?
- Will changes be made without upsetting current business operations?
Deliver and Support
- Are IT services being delivered in line with business priorities?
- Are IT costs optimised?
- Is the workforce able to use the IT systems productively and safely?
- Are adequate confidentiality, integrity and availability in place for information security?
Monitor and Evaluate
- Is IT's performance measured to detect problems before it is too late?
- Does management ensure that internal controls are effective and efficient?
- Can IT performance be linked back to business goals?
- Are adequate confidentiality, integrity and availability controls in place for information security?
For illustrative purposes, all the processes with the corresponding IT governance focus areas are presented in the appendix 3a (Ibid.).
ISACA developed for CobiT 4.1 a maturity model based on the Capability Maturity Model (CMM) Scale from the Software Engineering Institute. While many concepts of the CMM model were used, the CobiT implementation differs from the original oriented toward software product engineering principles CMM. According to ISACA, the Capability Maturity Model in CobiT 4.1 focuses on strategic issues and high level IT Management processes (FAQ ISACA).
Val IT in CobiT 4.1
For a better management of benefits, CobiT 4.1 can be applied in combination with other complementary approaches. For example, Val IT and CobiT improve the power of decision makers for the creation of value from the delivery of IT services. Val IT takes a pure business perspective by examining strategic and value issues, while CobiT takes an IT perspective by focusing on the architecture and the delivery. (Val IT ISACA 2008; Fujitsu Consulting et al. 2007). Val IT sets good practices for the outcomes by measuring, monitoring and optimizing financial and non-financial value for IT-enabled investments. In the following figure, the so called 'Four Ares' from Val IT are shown.
Figure 3: The 'Four Ares' adapted from Val IT ISACA (2008)