Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Join author Oliver Crespo, as he responds to ISACA member questions beginning 2 November 2015. Add your questions by responding to this post!

You must be logged in and be a member of this group* to participate.
*After logging in click "Join this Community" to the right and then return to this page by clicking the back button. As a member of this topic you can now view this and other discussions from the topic homepage.

One of the most important discoveries for the human age was the Rosetta Stone. This piece of granite was the key element to decoding and understanding Egyptian hieroglyphs. Using this stone,it became possible to understand what the Egyptians wrote in their papyrus and allowed us to understand how the ancient Egyptians lived and thought. We understood.

Today, auditors sometimes face this (mis)understanding problem within their audit activities. Though not on par with the Rosetta Stone discovery, at times, a key to enabling different business units to understand each other is needed. Within the corporate world, there are different approaches and views of the same elements. This is probably one of the most complicated situations that an IT auditor can face. Sometimes it is difficult to explain to non-IT people the risk, findings and recommendations that an IT auditor discovers. 

Read the rest of the article here
You must sign in to rate content.
(Unrated)

Comments

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Great article Oliver - and thanks for sharing.  I wondered, to what extent your project was supported by any other Guides in the COBIT 5 family and, if so, the extent to which they may have contributed to the success of your project.

Regards
Russell
Russ RaizenbergObserver at 11/3/2015 8:49:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hello Oliver,

Well written article!! 

Like Russ, I too would like to know what were the other resources your organization may have used to adopt the new version. Additionally, were there any roadblocks or challenges in particular that were solved.

Cheers,
Rohit
Rohit BanerjeeInfluential at 11/5/2015 1:45:10 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
OliverLively at 11/5/2015 2:33:05 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Russ, Rohit thanks for your comments, It's my pleasure to share with the ISACA Community, my experience. In fact these conversations are probably more interesting than the article! With regards to your questions: How do we accomplish the project?, we face three main steps First in order to define the processes framework we adopted the process tree defined by COBIT 5. However, it was necessary to align this process tree with the situation within the Company. At the end, two COBIT 5 processes were not included in our process tree after a deep assessment. After this selection we define the indicators that will be necessary in order to define the importance for each process. during this stage we review the Cobit 5 PAM (Process Assessment Model) but we decided to adopt this model in a future. We believe that we need to achieve a higher maturity level within our framework before the adopting of PAM. Finally, we define a set of checklist for the most significant processes with the most important control objectives to be assessed during the audit activities. For definition of the checklists we consult the COBIT 5 for Information Security document and also the COBIT for Assurance. Communication with other areas: During the project we maintained a significant communication with the IT Department because we wanted to align our view with the IT Department. In our case we need to align the ITIL model from the IT function with our COBIT 5 model. Additionally, our control objectives defined during the project were aligned with those included in the Risk Model defined by the Risk Management function. This situation allow us to be aware of the activities developed from Risk Management affecting to the processes defined in our process tree. I hope this might resolve your doubts. In any case I'm waiting your comments, suggestions and things to be improved. Regards Oliver
OliverLively at 11/5/2015 2:35:15 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Russ, Rohit thanks for your comments, It's my pleasure to share with the ISACA Community, my experience. In fact these conversations are probably more interesting than the article! With regards to your questions: How do we accomplish the project?, we face three main steps First in order to define the processes framework we adopted the process tree defined by COBIT 5. However, it was necessary to align this process tree with the situation within the Company. At the end, two COBIT 5 processes were not included in our process tree after a deep assessment. After this selection we define the indicators that will be necessary in order to define the importance for each process. during this stage we review the Cobit 5 PAM (Process Assessment Model) but we decided to adopt this model in a future. We believe that we need to achieve a higher maturity level within our framework before the adopting of PAM. Finally, we define a set of checklist for the most significant processes with the most important control objectives to be assessed during the audit activities. For definition of the checklists we consult the COBIT 5 for Information Security document and also the COBIT for Assurance. Communication with other areas: During the project we maintained a significant communication with the IT Department because we wanted to align our view with the IT Department. In our case we need to align the ITIL model from the IT function with our COBIT 5 model. Additionally, our control objectives defined during the project were aligned with those included in the Risk Model defined by the Risk Management function. This situation allow us to be aware of the activities developed from Risk Management affecting to the processes defined in our process tree. I hope this might resolve your doubts. In any case I'm waiting your comments, suggestions and things to be improved. Regards Oliver
Oliver at 11/5/2015 2:35:15 AM
Hello Oliver,

Thanks for providing a follow up on the queries, really appreciate it!! 

It was very insightful the way you have explained the process you have followed. However, I noticed that your role is of an IT/IS Auditor and you mentioned you (or your team)  maintained lot of communication with the IT team.

Does that mean the initiative was of the Audit team, and not of the IT team? Or was it led by the Audit team? Or was it roughly fifty-fifty partnership initiative between both teams?

Also, did your company follow ant Goals Cascading, as mentioned in the COBIT 5 guideline? If yes, how much high level alignment were you able to get with the IT BSC to the Enterprise BSC?

Regards,
Rohit
Rohit BanerjeeInfluential at 11/7/2015 11:36:21 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the project was initiated and promoted by the Internal Audit Department. However, one of the most important step within the project was to align the IT Audit and the IT Department view. At the end you will assess the IT processes so your understanding of the IT processes needs to be clear.

With regards to the Goals Cascade, we did not take into consideration this aspect during the project.

I hope this help, I really appreciate your questions!

Best regards
OliverLively at 11/10/2015 10:55:38 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

@Oliver,

Fantastic, sounds like a great start.

Were there any roadblocks or challenges with other stakeholders, especially the IT Department?
Rohit BanerjeeInfluential at 11/11/2015 8:50:12 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the main challenge with the IT Department, was to be sure that our perception of the COBIT 5 IT processes covered all the activities developed by the IT people. These activities included not only operational task but governance and risk management. According to the article we (internal audit) need to understand IT and IT needs to understand IT Audit. 

Another important challenge during the project was to align our risk view with the risk view form the Risk Management function. I work for an insurance company so the term RISK is really important!

Kind regards
OliverLively at 11/12/2015 3:01:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the main challenge with the IT Department, was to be sure that our perception of the COBIT 5 IT processes covered all the activities developed by the IT people. These activities included not only operational task but governance and risk management. According to the article we (internal audit) need to understand IT and IT needs to understand IT Audit. 

Another important challenge during the project was to align our risk view with the risk view form the Risk Management function. I work for an insurance company so the term RISK is really important!

Kind regards
Oliver at 11/12/2015 3:01:04 AM
Thanks Oliver, for your generous and wonderful insights. Wish you all the best for your good work.
Rohit BanerjeeInfluential at 11/12/2015 11:54:17 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the main challenge with the IT Department, was to be sure that our perception of the COBIT 5 IT processes covered all the activities developed by the IT people. These activities included not only operational task but governance and risk management. According to the article we (internal audit) need to understand IT and IT needs to understand IT Audit. 

Another important challenge during the project was to align our risk view with the risk view form the Risk Management function. I work for an insurance company so the term RISK is really important!

Kind regards
Oliver at 11/12/2015 3:01:04 AM
Thanks Oliver, for your generous and wonderful insights. Wish you all the best for your good work.
Rohit BanerjeeInfluential at 11/12/2015 11:54:17 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the main challenge with the IT Department, was to be sure that our perception of the COBIT 5 IT processes covered all the activities developed by the IT people. These activities included not only operational task but governance and risk management. According to the article we (internal audit) need to understand IT and IT needs to understand IT Audit. 

Another important challenge during the project was to align our risk view with the risk view form the Risk Management function. I work for an insurance company so the term RISK is really important!

Kind regards
OliverLively at 11/12/2015 3:01:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

@Oliver,

Fantastic, sounds like a great start.

Were there any roadblocks or challenges with other stakeholders, especially the IT Department?
Rohit BanerjeeInfluential at 11/11/2015 8:50:12 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the project was initiated and promoted by the Internal Audit Department. However, one of the most important step within the project was to align the IT Audit and the IT Department view. At the end you will assess the IT processes so your understanding of the IT processes needs to be clear.

With regards to the Goals Cascade, we did not take into consideration this aspect during the project.

I hope this help, I really appreciate your questions!

Best regards
OliverLively at 11/10/2015 10:55:38 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Russ, Rohit thanks for your comments, It's my pleasure to share with the ISACA Community, my experience. In fact these conversations are probably more interesting than the article! With regards to your questions: How do we accomplish the project?, we face three main steps First in order to define the processes framework we adopted the process tree defined by COBIT 5. However, it was necessary to align this process tree with the situation within the Company. At the end, two COBIT 5 processes were not included in our process tree after a deep assessment. After this selection we define the indicators that will be necessary in order to define the importance for each process. during this stage we review the Cobit 5 PAM (Process Assessment Model) but we decided to adopt this model in a future. We believe that we need to achieve a higher maturity level within our framework before the adopting of PAM. Finally, we define a set of checklist for the most significant processes with the most important control objectives to be assessed during the audit activities. For definition of the checklists we consult the COBIT 5 for Information Security document and also the COBIT for Assurance. Communication with other areas: During the project we maintained a significant communication with the IT Department because we wanted to align our view with the IT Department. In our case we need to align the ITIL model from the IT function with our COBIT 5 model. Additionally, our control objectives defined during the project were aligned with those included in the Risk Model defined by the Risk Management function. This situation allow us to be aware of the activities developed from Risk Management affecting to the processes defined in our process tree. I hope this might resolve your doubts. In any case I'm waiting your comments, suggestions and things to be improved. Regards Oliver
Oliver at 11/5/2015 2:35:15 AM
Hello Oliver,

Thanks for providing a follow up on the queries, really appreciate it!! 

It was very insightful the way you have explained the process you have followed. However, I noticed that your role is of an IT/IS Auditor and you mentioned you (or your team)  maintained lot of communication with the IT team.

Does that mean the initiative was of the Audit team, and not of the IT team? Or was it led by the Audit team? Or was it roughly fifty-fifty partnership initiative between both teams?

Also, did your company follow ant Goals Cascading, as mentioned in the COBIT 5 guideline? If yes, how much high level alignment were you able to get with the IT BSC to the Enterprise BSC?

Regards,
Rohit
Rohit BanerjeeInfluential at 11/7/2015 11:36:21 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Russ, Rohit thanks for your comments, It's my pleasure to share with the ISACA Community, my experience. In fact these conversations are probably more interesting than the article! With regards to your questions: How do we accomplish the project?, we face three main steps First in order to define the processes framework we adopted the process tree defined by COBIT 5. However, it was necessary to align this process tree with the situation within the Company. At the end, two COBIT 5 processes were not included in our process tree after a deep assessment. After this selection we define the indicators that will be necessary in order to define the importance for each process. during this stage we review the Cobit 5 PAM (Process Assessment Model) but we decided to adopt this model in a future. We believe that we need to achieve a higher maturity level within our framework before the adopting of PAM. Finally, we define a set of checklist for the most significant processes with the most important control objectives to be assessed during the audit activities. For definition of the checklists we consult the COBIT 5 for Information Security document and also the COBIT for Assurance. Communication with other areas: During the project we maintained a significant communication with the IT Department because we wanted to align our view with the IT Department. In our case we need to align the ITIL model from the IT function with our COBIT 5 model. Additionally, our control objectives defined during the project were aligned with those included in the Risk Model defined by the Risk Management function. This situation allow us to be aware of the activities developed from Risk Management affecting to the processes defined in our process tree. I hope this might resolve your doubts. In any case I'm waiting your comments, suggestions and things to be improved. Regards Oliver
OliverLively at 11/5/2015 2:35:15 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
OliverLively at 11/5/2015 2:33:05 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hello Oliver,

Well written article!! 

Like Russ, I too would like to know what were the other resources your organization may have used to adopt the new version. Additionally, were there any roadblocks or challenges in particular that were solved.

Cheers,
Rohit
Rohit BanerjeeInfluential at 11/5/2015 1:45:10 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Great article Oliver - and thanks for sharing.  I wondered, to what extent your project was supported by any other Guides in the COBIT 5 family and, if so, the extent to which they may have contributed to the success of your project.

Regards
Russell
Russ RaizenbergObserver at 11/3/2015 8:49:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Great article Oliver - and thanks for sharing.  I wondered, to what extent your project was supported by any other Guides in the COBIT 5 family and, if so, the extent to which they may have contributed to the success of your project.

Regards
Russell
Russ RaizenbergObserver at 11/3/2015 8:49:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hello Oliver,

Well written article!! 

Like Russ, I too would like to know what were the other resources your organization may have used to adopt the new version. Additionally, were there any roadblocks or challenges in particular that were solved.

Cheers,
Rohit
Rohit BanerjeeInfluential at 11/5/2015 1:45:10 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

An out-of-office message containing personal information or a comment that violates community policies was deleted by the administrator.
OliverLively at 11/5/2015 2:33:05 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Russ, Rohit thanks for your comments, It's my pleasure to share with the ISACA Community, my experience. In fact these conversations are probably more interesting than the article! With regards to your questions: How do we accomplish the project?, we face three main steps First in order to define the processes framework we adopted the process tree defined by COBIT 5. However, it was necessary to align this process tree with the situation within the Company. At the end, two COBIT 5 processes were not included in our process tree after a deep assessment. After this selection we define the indicators that will be necessary in order to define the importance for each process. during this stage we review the Cobit 5 PAM (Process Assessment Model) but we decided to adopt this model in a future. We believe that we need to achieve a higher maturity level within our framework before the adopting of PAM. Finally, we define a set of checklist for the most significant processes with the most important control objectives to be assessed during the audit activities. For definition of the checklists we consult the COBIT 5 for Information Security document and also the COBIT for Assurance. Communication with other areas: During the project we maintained a significant communication with the IT Department because we wanted to align our view with the IT Department. In our case we need to align the ITIL model from the IT function with our COBIT 5 model. Additionally, our control objectives defined during the project were aligned with those included in the Risk Model defined by the Risk Management function. This situation allow us to be aware of the activities developed from Risk Management affecting to the processes defined in our process tree. I hope this might resolve your doubts. In any case I'm waiting your comments, suggestions and things to be improved. Regards Oliver
OliverLively at 11/5/2015 2:35:15 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Russ, Rohit thanks for your comments, It's my pleasure to share with the ISACA Community, my experience. In fact these conversations are probably more interesting than the article! With regards to your questions: How do we accomplish the project?, we face three main steps First in order to define the processes framework we adopted the process tree defined by COBIT 5. However, it was necessary to align this process tree with the situation within the Company. At the end, two COBIT 5 processes were not included in our process tree after a deep assessment. After this selection we define the indicators that will be necessary in order to define the importance for each process. during this stage we review the Cobit 5 PAM (Process Assessment Model) but we decided to adopt this model in a future. We believe that we need to achieve a higher maturity level within our framework before the adopting of PAM. Finally, we define a set of checklist for the most significant processes with the most important control objectives to be assessed during the audit activities. For definition of the checklists we consult the COBIT 5 for Information Security document and also the COBIT for Assurance. Communication with other areas: During the project we maintained a significant communication with the IT Department because we wanted to align our view with the IT Department. In our case we need to align the ITIL model from the IT function with our COBIT 5 model. Additionally, our control objectives defined during the project were aligned with those included in the Risk Model defined by the Risk Management function. This situation allow us to be aware of the activities developed from Risk Management affecting to the processes defined in our process tree. I hope this might resolve your doubts. In any case I'm waiting your comments, suggestions and things to be improved. Regards Oliver
Oliver at 11/5/2015 2:35:15 AM
Hello Oliver,

Thanks for providing a follow up on the queries, really appreciate it!! 

It was very insightful the way you have explained the process you have followed. However, I noticed that your role is of an IT/IS Auditor and you mentioned you (or your team)  maintained lot of communication with the IT team.

Does that mean the initiative was of the Audit team, and not of the IT team? Or was it led by the Audit team? Or was it roughly fifty-fifty partnership initiative between both teams?

Also, did your company follow ant Goals Cascading, as mentioned in the COBIT 5 guideline? If yes, how much high level alignment were you able to get with the IT BSC to the Enterprise BSC?

Regards,
Rohit
Rohit BanerjeeInfluential at 11/7/2015 11:36:21 PM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the project was initiated and promoted by the Internal Audit Department. However, one of the most important step within the project was to align the IT Audit and the IT Department view. At the end you will assess the IT processes so your understanding of the IT processes needs to be clear.

With regards to the Goals Cascade, we did not take into consideration this aspect during the project.

I hope this help, I really appreciate your questions!

Best regards
OliverLively at 11/10/2015 10:55:38 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

@Oliver,

Fantastic, sounds like a great start.

Were there any roadblocks or challenges with other stakeholders, especially the IT Department?
Rohit BanerjeeInfluential at 11/11/2015 8:50:12 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the main challenge with the IT Department, was to be sure that our perception of the COBIT 5 IT processes covered all the activities developed by the IT people. These activities included not only operational task but governance and risk management. According to the article we (internal audit) need to understand IT and IT needs to understand IT Audit. 

Another important challenge during the project was to align our risk view with the risk view form the Risk Management function. I work for an insurance company so the term RISK is really important!

Kind regards
OliverLively at 11/12/2015 3:01:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: COBIT Focus - COBIT 5 Adoption: Understand and Be Understood

Hi Rohit,

the main challenge with the IT Department, was to be sure that our perception of the COBIT 5 IT processes covered all the activities developed by the IT people. These activities included not only operational task but governance and risk management. According to the article we (internal audit) need to understand IT and IT needs to understand IT Audit. 

Another important challenge during the project was to align our risk view with the risk view form the Risk Management function. I work for an insurance company so the term RISK is really important!

Kind regards
Oliver at 11/12/2015 3:01:04 AM
Thanks Oliver, for your generous and wonderful insights. Wish you all the best for your good work.
Rohit BanerjeeInfluential at 11/12/2015 11:54:17 PM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.