Control Objectives for Information and Related Technologies (COBIT)
Control Objectives for Information and Related Technologies (COBIT) is a comprehensive framework designed for the development, implementation, monitoring, and improvement of IT governance and management practices. It provides an end-to-end business perspective for IT governance that links business goals to IT goals.
Definition and purpose
COBIT provides guidelines and best practices for enterprises to develop, implement, and maintain effective IT governance and management practices. The main purpose is to help businesses achieve their objectives through the effective and efficient use of IT, while ensuring that IT-related risks are managed appropriately.
The governing body for COBIT is ISACA, a global professional association focused on IT governance.
The latest version, COBIT 2019, was released in 2018.
COBIT is industry-agnostic and can be applied to any enterprise regardless of size, sector, or geography. This includes (but is not limited to) finance, healthcare, IT, manufacturing, and government entities.
Controls and requirements
COBIT 2019 provides a structured framework with several components. The primary components are:
- Performance Management: This provides performance indicators that allow enterprises to measure the achievement of governance and management objectives.
- Objective Cascade: This relates enterprise goals to aligned IT-related goals.
- Governance and Management Objectives: There are 40 objectives split between governance and management. Governance contains "Evaluate, Direct, and Monitor" (EDM) objectives, while Management aligns with the domains of "Align, Plan, and Organise" (APO), "Build, Acquire, and Implement" (BAI), "Deliver, Service, and Support" (DSS), and "Monitor, Evaluate, and Assess" (MEA).
- Components: COBIT 2019 comprises a set of components that include processes, policies, procedures, organizational structures, information flows, skills, infrastructure, and culture.
Each governance and management objective has related processes, with a process description, purpose statement, and a list of activities.
Please refer to the official COBIT documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
COBIT itself doesn't prescribe specific audit frequencies or durations. Instead, it provides a comprehensive framework for organizations to develop, implement, and improve IT governance and management. Audits typically revolve around checking compliance with the practices and processes set forth by COBIT.
Audit frequency and duration will vary based on the organization's size, complexity, industry regulations, and the specific scope of the audit. Some enterprises may perform yearly audits, while others may have more frequent or focused reviews based on their risk profile and business needs.