COBIT Focus, April 2008

page 9
COBIT: An IT Governance Tool for the CIO and CEO
By Romulo Lomparte, CISA

IT should be regarded positively as a value creator
instead of just dwelling on the risks.

The chief information officer (CIO) of an
organization is often the person responsible for
some of the biggest costs/investments in an
enterprise and should always try to show how
technology can enable the business to create
value rather than simply justifying the annual
budget. Do the chief executive officer (CEO) and
the CIO think differently? Hopefully notthey
should be strategically aligned, driving the same
business goals and objectives.

Most departments in companies work as islands
and think about IT only when there is a problem.
That lack of business alignment can produce
conflicting interests and internal anarchy, which
may be reflected in managements attitude. The
alignment of technology, for all areas, does not
have to be a goal, but a means to achieve goals.
The central foundation of strategic alignment is
that strategic planning and strategic operations
must be aligned closely. Therefore, it is best to
consider technology as a strategic tool and not
solely as a concrete resource. The integration of
the business with IT is feasible when the problems
of communication and understanding between the
IT department and the rest of the business are
unravelled and managed.

Alignment requires a good vision by the IT
manager of the business. However, in the majority
of cases, the IT department has too much of a
technical vision of the business goals and supports
strategic decisions based more on economic and
technological objectives than on business-enabling
objectives. IT leaders should help drive enterprise
strategy in partnership with the business. Strategic
decisions should not be of a financial or
commercial nature only; they also need to be
based on enabling the realization of business
benefits. For this reason, it is essential to maintain
communication both in business and technology.
Even when there is an organizational culture that
encourages the alignment of technology with the
business, the greatest barrier is when IT managers
continue to have friction with business managers
because of poor communication, lack of mutual
understanding and trust, and frustration caused by
failuresall leading to a culture of blame.
IT governance is one key part of enterprise
governance. In this sense, the IT manager must
integrate the IT planning and organization within
the overall enterprise to reach alignment of IT
operations and processes with the strategies of
the organization.

The use of COBIT, as a recognized and
internationally accepted standard, is
recommended for good practices of IT
governance. Today, the most successful
organizations are involved in the self-assessment
of their processes and administration techniques.

It is essential to understand that the board of
directors is responsible for the development and the
adoption of standards and norms to control the
companys information systems and technologies.
COBIT is considered worldwide as an accepted
standard that is applicable for good practices of IT
governance, and it is rapidly being adopted. Its
fulfillment or application should be driven by the
board and executives because COBIT is clearly
recognized and internationally accepted as a
framework that enables effective IT controls, based
on criteria acceptable to all parties including auditors.

But what does COBIT provide to the CEO? A
reasonable assurance that:
Accepted objectives of IT control good practices
are being reached
Significant weaknesses in controls are identified
The impact of risks associated with such
weaknesses are being considered properly
Executives are being guided on the corrective
measures that must be adopted

COBIT permits quantitative and qualitative
evaluation, and helps management inform the
board of the true management and control status
of their information systems and processes, which
enables better governance of IT. COBIT is an
important tool for driving good practice and for
enabling management to take control of IT
investments and the associated risks. Based on
standards and internationally recognized good
practices, it also ensures compliance with
regulations, laws and contracts, and offers
confidence to third parties and business partners
regarding the service provision and automated
transaction flows.
Continued on page 10
COBIT Focus, April 2008

page 10
The implementation of better governance based
on COBIT realizes business benefits because it
facilitates the understanding and control of IT
operations within the whole enterprise. The
services or products offered are optimized when
the portfolio of information systems is managed
efficiently, with resources balanced and prioritized
to meet business needs. COBIT drives a better
return on IT investments, the delivery of IT-
enabled solutions and the effective use of IT within
business processes by identifying specific risks
and management gaps, and guiding the
implementation of appropriate controls.

COBIT provides good practice for the strategic
planning for IT, management of IT investments,
program and project management, and risk
assessment. COBIT also enables better
identification of the IT processes critical for
supporting the most important business
processes, products and services provided by
the organization.

How COBIT Would Help the CEO
The CEO has a significant responsibility in many IT
governance processes. According to COBITs
Responsible, Accountable, Consulted and/or
Informed (RACI) charts, the CEO should be
engaged in half of COBITs 34 IT processes and
plays a key role in several, such as identification of
risks. COBIT can help the CEO evaluate how much
value IT gives to the business, how the resources
are managed and how to measure ITs
performance in enabling the fulfillment of the
business goals. Armed with an awareness and
understanding of the conceptual framework of
COBIT, the CEO will be prepared to direct and
monitor the level of alignment of IT with the
business, and the impact such alignment is having.

To use COBIT effectively, the CEO should be
committed to overseeing the quality and security of
the information and other assets, as well as the
optimal use of IT resources, including applications,
data, infrastructure and people. To obtain their
objectives, CEOs should mandate effective
governance of IT, enabled by the COBIT
framework, so they are able to understand the
status of their enterprises IT architecture, and
influence where and what kind of governance and
control must be applied. CEOs can then obtain the
commitment of operational managers.

Enterprises cannot effectively respond to their
business and government IT requirements without
adopting and implementing good IT governance
Figure 1Interrelationships of COBIT Components


Source: IT Governance Institute, COBIT 4.1, 2007
Continued on page 11
COBIT Focus, April 2008

page 11
frameworks and the associated IT controls aligned
with business requirements. The COBIT framework
contains components that are interconnected,
offering support for the key necessities of
governance, administration, control and auditing of
the different shareholders, as shown in figure 1.

Lessons Learned From One Application
The following case can be a useful lesson to many
considering the application of an IT governance
framework. Although the continuation of the project
was jeopardized, due in large part to the negative
influences of a CEO and other managers who did
not provide the proper support or enable the CIO to
successfully complete the project, the following
describes a successful implementation of COBIT.

To initiate the project, the CIO informed the IT
auditor that he was interested in implementing an
IT governance framework, and asked the IT
auditor for support. The IT auditor proposed the
application of COBIT, since the main problem for
the organization was the lack of a governance
framework and the board had to be convinced of
its efficacy.

After two years and much hard work, the CIO and
his team had implemented COBIT; the CIO was
collaborating with the board on the design of
growth strategies, new products and services; and
they had almost finished turning IT into a function
for leveraging development of the organization.
Unfortunately, the CIO had not won the support of
other business managers and after these two
years and due to pressure by upper management,
the CIO could drive it no further.

The lesson learned, during this short period of
successful IT governance in the organization,
showed that even with the certainty of success
with COBIT, there is also the necessity to have an
organizational commitment on the governance
framework for its successful application. Simply,
implementation is not enough; organizational buy-
in from the top down is required.

Conclusion
IT governance is an important part of enterprise
governance, oriented toward developing
processes, organizational structures and
leadership, and completing and suitably reflecting
the strategies and objectives of the organization.
COBIT is an international model that provides the
necessary tools to implement IT governance in
organizations looking to fulfill guidelines of
corporate governance principles for IT. With a
monitoring and self-assessment scheme of great
use to the CEO, COBIT integrates all the
necessary characteristics within a single integral
framework, in line with government and business
requirements. However, its likelihood of success is
drastically diminished if commitment and support
goes only so far as the CIO; successful
implementation depends on commitment and
support from the board and CEO on down.

Romulo Lomparte, CISA
is a IT corporate auditor for Yanbal International,
where he is responsible for reviewing and
evaluating IT controls. He can be reached at
rlomparte@viabcp.com.

ISACA COBIT Education

Looking for ways to build the internal
competencies that support the adoption of COBIT
and IT governance?

ISACA provides COBIT training in several formats.
All ISACA classroom-based courses are delivered
by ISACA-accredited trainers. The following are
descriptions of the current COBIT training
opportunities available through ISACA.

COBIT Awareness Course
The e-learning COBIT

Awareness Course is used

to build awareness around the use and benefits of
COBIT in an organization. Delivered in a two-hour
online-only format, this course explores the current
difficulties organizations are dealing with and
builds a case for the adoption of COBIT as the
answer to these issues. For more information on
this course, please visit
www.isaca.org/cobitcampus.

COBIT Foundation Course
The COBIT Foundation Course, developed in
collaboration with ITpreneurs, explains the COBIT
framework using practical examples and a case
study. The course addresses how to realize
effective IT governance using the COBIT
framework. It is available online
Continued on page 12