• Bookmark

Process Capability Assessment Using COBIT 5 as a Compliance Requirement

By Peter C. Tessin, CISA, CRISC, CISM, CGEIT

COBIT Focus | 12 February 2018

Peter C. Tessin Governance and management of enterprise information technology (GEIT) is the practice of applying enterprise resources (enablers) to the creation and delivery of value to enterprise stakeholders. ISACA’s COBIT 5 GEIT framework is well established, having reached its 20th anniversary in 2017, and is used in many industries around the world.

In its inaugural form, COBIT 5 was a control objective-based auditor’s tool. Through the years, and several editions, it grew from this narrow focus to a broad collection of good practices that are meant to be adjusted to the needs of the enterprise and can be applied independent of geography, industry, or other frameworks and standards. Besides private industry, COBIT 5 is now mandated by government agencies for financial institutions. This movement has created a compliance use of COBIT that was not foreseen by its designers, who expected that COBIT would be altered as needed rather than taken as a pseudo standard.

In December 2016, the Central Bank of Jordan (CBJ) enacted a mandate that requires the use of COBIT 5 and the COBIT Process Assessment Model (PAM): Using COBIT 5 for all banks operating within Jordan. This was not the first instance of a government requiring the use of COBIT, merely the latest to do so. CBJ’s regulation states that banks must use the PAM to determine the level to which they are using COBIT 5 and gives specific process capability levels as targets.

The PAM defines an assessment as the examination of evidentiary material measured against the definitions of process capability levels. Once there is evidence that a process does, in fact, exist, there are 5 levels against which its capabilities can be assigned. The PAM has a 0 level for processes that are said to be in place but for which there is insufficient evidence of the process accomplishing its stated purpose.

Designing a governance structure for an enterprise is a multistep process and typically results in a unique set of processes established to enable the enterprise to accomplish its purposes. That said, when a government entity or agency compels an enterprise to measure its process capabilities using COBIT 5 and the PAM, there is no reason to believe the framework cannot be used.
 

Designing a governance structure for an enterprise is a multistep process and typically results in a unique set of processes established to enable the enterprise to accomplish its purposes.


The collection of processes extant in COBIT 5 is derived from years of evolution of the framework, along with concentrated development effort from the resources that created COBIT 5. Their direct use in an enterprise would not leave the enterprise lacking in any material manner. A governance practitioner might quickly argue that the resulting governance structure would not be optimized, and I cannot argue with that. However, from a regulator’s point of view, measuring all market participants against an immovable yardstick has very real value. When the objective for the government is to bring tighter control to a financial industry, then this perspective takes on greater validity.

Practitioners who must perform assessments in a compliance environment have a bit more work to do in that they will most likely be assessing against all 37 processes within COBIT 5 rather than a strategically selected scope. Nonetheless, the processes are well defined within COBIT 5, and the assessor need not spend additional effort learning the nuances of the enterprise’s unique design and implementation of COBIT 5.

It is important for the assessor to recall that the assessment must be performed against the as-is state, not what the assessor believes would have been a more appropriate design for that enterprise. Therefore, the strict adherence to COBIT 5 by the regulatory body turns out to be an advantage, not a detriment.

From this point on, the assessor must focus on completion of process purpose, not the existence of documents. A pitfall awaits the assessor who misinterprets the PAM to say that so many instances of a process must exist or that a certain number and type of evidentiary documentation must exist. To best assess process capability, the assessor must frequently ask whether the evidence available demonstrates the completion or achievement of the process purpose. If that is true, then the assessor can begin considering the higher levels of capability and look for evidence of process definition, process performance measurement, etc.

Any assessor (internal resource or otherwise) who is faced with performing a process capability assessment using COBIT 5 as a compliance exercise can rest assured that this can be a very straightforward exercise and does not have to present any unique difficulties. Use the PAM, the framework and COBIT 5: Enabling Processes, and go for it.


Peter C. Tessin, CISA, CRISC, CISM, CGEIT

Is a senior manager at Discover Financial Services. He leads the governance group within Business Technology (BT) Risk. In this role, he is responsible for ensuring that policy, standards and procedures align with corporate objectives. He serves as the internal party responsible for regulatory exam management and is the internal liaison to Corporate Risk Management. Prior to this role, Tessin was a technical research manager at ISACA where he was the project manager for COBIT 5 and led the development of other COBIT 5-related publications, white papers and articles. Tessin also played a central role in the design of COBIT online, ISACA’s website that offers convenient access to the COBIT 5 product family and includes interactive digital tools to assist in the use of COBIT. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm, where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native United States, including Australia, Canada, France, Germany, Italy, Jordan, Mexico and the United Kingdom.