COBIT Case Study: COBIT and the CPA Firm 

 

Come join the discussionCome join the discussion! R. Curtis Thompson will respond to questions in the discussion area of the COBIT 5—Use It Effectively topic beginning 21 October 2013.

 

With the introduction of COBIT 5, the framework is moving toward a more global application to the enterprise. But, can a smaller organization still take advantage of COBIT 5 to help direct its IT function? This is an account of one organization’s beginning steps toward implementing COBIT 5.

Yount, Hyde & Barbour is a mid-sized regional accounting firm with 21 shareholders and 140 employees. The firm has six locations, with at least 20 people working remotely or at a client’s location at any given time. Thus, there is a complexity to the IT function that is greater than the size of the organization would suggest. The loss of the firm’s IT manager and an IT staff member reduced the IT staff to a single person. While this was a major issue for an accounting firm in the middle of its busiest season, it was an opportunity to redefine the IT function for the entire firm. Several short-term fixes were initiated (hiring an IT generalist and relying on an outsourced vendor to fill in gaps in staffing).

The shareholders of the firm had always had an IT steering committee to communicate the firm’s direction and needs to the IT manager, but the committee had not taken a true governance role. The risk advisory services team was comprised of several Certified Information Systems Auditors (CISAs), including the principal, who was the chair of the IT steering committee. Therefore, it was a logical direction for the IT steering committee to look to the newly released COBIT 5 as the framework on which to develop a better IT function.

COBIT 5 has a diagram that perfectly illustrates the separation of governance and management (figure 1). Defining management’s role as planning, building, running and monitoring appropriately separates it from the role of governance. Defining governance’s role as monitoring, evaluating and giving direction enables the IT steering committee to understand its role and eliminate a tendency for micromanaging the IT function.

Figure 1

The COBIT 5 process reference model illustrates the various processes (figure 2). It lays out the overall scope of the IT function nicely, but is this excessive for an IT department with only one to three staff members? In an accounting firm with 21 partners, all with different practices, there is a great variety of requirements and opinions. While a full implementation of the framework would likely be overly burdensome, there is a great advantage to using the model to design the processes and roles. Some areas will need to be fully documented and formally put in place; others may be more ad hoc and informal.

Figure 2
View large graphic.

The firm is a small organization with a lot of demands on resources. The effort to organize the IT function using a framework so that it can be efficient and fill the needs and expectations of the stakeholders is ongoing. COBIT 5 is a solution for organizing and integrating the IT function within the overall organization. One advantage that the firm has is that the shareholders and staff understand the importance of IT to filling the needs of the firm and its clients effectively and efficiently.

COBIT 5 Implementation lays out seven phases for implementing COBIT 5. Using this guide, the firm began by identifying the drivers as well as the challenges of the initiative (phase 1, What are the drivers?). There were several drivers for the firm. There was a general disconnect between IT and the needs of the professionals. With different practices across the firm there are different needs that were not always understood or addressed. While IT spending was within budget, spending did not always follow the needs of the firm. And for the IT department, one of the biggest issues was the rarely consistent, individual demands of 21 individual shareholders.

The firm is currently between phase 2 (Where are we now?) and phase 3 (Where do we want to be?). These phases are logically being worked on concurrently but are challenging. The busy schedules of the professional staff and the demands on a small IT department tend to interfere with planning sessions and discussions. Milestones and deadlines are now being put in place to help keep the project on track. Some departments have completed the process of identifying where they are and where they want to be. This has been accomplished through planning sessions and discussions. With the input of the IT steering committee, the remaining departments will get these phases completed so the next phases can begin. Plans are in place to begin phase 4 (What needs to be done?) and phase 5 (How do we get there?) in early November.

COBIT 5 has helped the firm think about its IT processes and how they interrelate with the objectives of the firm. Even in a small organization like Yount, Hyde & Barbour, there is room for a framework to help direct the structure and function.

R. Curtis Thompson, CISA, CPA.CITP
Is a shareholder at Yount, Hyde & Barbour, PC, a regional CPA firm. His practice is focused on technology and internal controls services for various industries with a concentration in financial institutions.