Where Have All the Control Objectives Gone? 

 

They Have Picked Them Every One...1

Download Article Article in Digital Form

Erik GuldentopsI still remember the beginning 20 years ago.

It was cold in Paris in November 1991 when ISACA’s2 European Regional Council3 met. IT audit knowledge was a major theme of the meeting, especially because this group realised that most of the knowledge came from the US. Somewhat desperate for an EU initiative in IT audit research and publications, they ‘badgered’ me, given my academic contacts, into developing a proposal.

I had been intrigued at the time by EDPAA’s Control Objectives because, on one hand, it seemed a comprehensive set of the issues of IT audit and control, while, on the other hand, its prescriptive nature and typical audit language made techies and managers apprehensive (to put it mildly). To maintain and enhance its value, it was clear to me that it needed a business foundation and management framework. That became COBIT, and the rest is history…until two weeks ago (at the time of this writing in April 2011).

A brain surge in the middle of the night made me realise—although it was very useful—that we never got it right, in all these years, with the COBIT control objectives (COs). Why? Because of the blurring of objective and action! And it is not the first time that the audit profession has struggled with this. Just think of auditors who often push management to apply specific practices while management has its own ideas about achieving the underlying objectives.

And then, this week, serendipity struck! I got the exposure draft of COBIT 5 for review, and what did I see? The COs are gone! It is good that the development team realised that something needed to be done about that; one can debate, however, about what needed to be done.

This brings me back to the history of COBIT, because we struggled with this for close to 20 years. Maybe we can learn something from our struggles.

The first illustration of the issue came with the Peter De Koninck group of experts who began developing the control practices in the second half of the 1990s. They did not explicitly acknowledge the issue of objective vs. action, but, having moved to pure practices, they recognised an underlying need and developed the ‘reasons why’ to support their practices.

The second illustration also came rather early in the COBIT history and relates to the public-sector reaction to COBIT, i.e., that it was not for them. We should have realised that they were partially right, even though the COBIT core development group developed some strong argumentation to the contrary in Washington DC, USA, (of all places) under the guidance of John Lainhart. The action part of the COs might not have always applied to the public sector, but the underlying objective still would have.

A third and similar experience occurred with the development of COBIT Quickstart. COBIT, having gotten quite some exposure by the late 1990s, had gotten the attention of smaller enterprises and especially consultants and auditors of these entities who were desperately looking for a reference guide, but who justly claimed that COBIT was too much for their purposes. Looking back at the result of that development, especially the second edition of Quickstart, I now realise that we evolved the control objectives into pure small-enterprise practices.

2011 marks the 15th anniversary of the publication of the first edition of COBIT. ISACA would like to thank all who have participated in COBIT’s development over the years, especially those who were instrumental to the first edition:

  • Erik Guldentops
  • Eddy Schuermans, CISA, CGEIT
  • Chris Bagot, CISA
  • Gary Austin, CISA, CGEIT, CISSP, PMP
  • Rene Barlage
  • Rick Beatty
  • Henri Beker
  • John Beveridge, CISA, CISM, CGEIT
  • Peter De Koninck, CISA, CFSA, CIA
  • Bart De Schutter
  • Balencia Dozier, CISA
  • Doris Fong
  • Joe Gelinas
  • Gary Hardy, CGEIT
  • John Hayes
  • Greg Hedges, CISM
  • A.I. Heijkamp
  • Max Huijbers
  • Dave Kent, CISA, CGEIT, CGFM
  • Tom Kothe, CISA, CPA
  • John Lainhart, CISA, CISM, CGEIT, CRISC
  • Dan Manson
  • Peter Maertens, CA, CFSA, RE
  • Akira Matsuo, CISA, CPA
  • Bill Pepper
  • Robert Roussey, CPA
  • Alan Stanley
  • Mark Stanley, CISA
  • Tjerk Terpstra, CISA
  • M.E. Van Biene-Hershey
  • Danny Van Riel
  • Bram Vandenberg
  • Mark Wheeler, CISA, CITP, CPA
  • Carla Williams

The fourth lesson (with hindsight) came with COBIT 4. ‘Objective’ means ‘an intention to accomplish’, but there is another concept that is between the ‘objective’ and the ‘action’, and that is the ‘goal’. A ‘goal’ states the actual achievement of the action and has been a fundamental focus for COBIT 4 in its business, IT and process goal cascade and its development of extensive goal metrics. The highly successful result of that development took our attention away from the still-lingering issue with the control objectives.

My fifth example—a strong indication that something was wrong with the COs—was when we recognised the need during COBIT 4 development for the concept of precursors and successors. This concept demonstrates that a CO, now turned into a management practice in one process, will not be successful unless something else has happened in an earlier process (the precursor) and/or until another management practice is applied in a future process (the successor). This shows that control objectives and processes were not the perfect match that we had thought them to be. We also did not pursue the concept because we could not see how it fit in the framework. This was a warning flag, but got lost in the extensive development projects of COBIT 4.

The final piece of the puzzle relates to the ongoing debate of ‘best practice’ vs. ‘good practice’ and another concept that I would call ‘a necessary and reasonably acceptable practice’. By that, I mean that if there is only one good practice or a necessary but not sufficient good practice to respond to a control objective, there is a lesser need to make a distinction between objective and action. There are cases like that in the COs, but, I suspect, they comprise a strong minority. One interesting, overlooked example is COBIT’s successful process structure, which really is a necessary good practice for efficiently implementing IT goals!

To conclude, there is a need for COs, but they should be devoid of any implied action. Maybe calling them control requirements will help. If they were developed like that, they would apply to all enterprises, whatever their industry, sector, size, risk profile or culture.

Such a development initiative would also respond to something that our profession has been lacking: to perform fundamental research into the concepts of IT auditing. I suspect that this could lead us back to the beginning of the COBIT development cycle because control objectives will likely be expressed in the original seven information criteria of COBIT’s first edition: efficiency, effectiveness, confidentiality, integrity, availability, compliance and reliability. Testing these principles against later developments such as COSO and ISO 38500, as well as against earlier developments such as Internal Control and Agency Theories, would provide a sound research basis.

Figure 1COs reworked as requirements would fit very well with a new and necessary development in COBIT 5, i.e., the concept of governance enablers—currently defined as frameworks, processes, organisational structures, principles and policies. Figure 1 provides a ‘first cut’ of these control requirements.

As a final thought, I plead guilty because I was one of the promoters, in the development of COBIT 4, of the idea to make the COs more (management) action-oriented. It was the right idea, but not at the loss of the essence of the audit and control profession: the true purpose of control. With this year being COBIT’s 15th anniversary, it may be good to reflect on past experiences and future objectives.

Over the years, COBIT has secured for ISACA much recognition and honour. Some highlights include:

  • A December 2010 report by the IT Policy Compliance Group (ITPCG), titled ‘How the Masters of IT Deliver More Value and Less Risk’, reveals the ‘masters of IT’ are using COBIT, IT balanced scorecards and IT portfolio management to improve alignment and deliver more value.
  • On 22 August 2010, the Insurance & Capital Market Supervisor in Israel published the final regulations regarding IT governance in institutional bodies that provide insurance and financial services. The regulations declared COBIT an acceptable and recommended control framework for the existence of efficient control and governance mechanisms in IT.
  • In September 2009, in a report titled ‘Guidance for Best Practices in Information Security and IT Audit’, the IT Policy Compliance Group (IT PCG) cites that the best performing organisations uniquely employ COBIT and COSO guidance to inform and guide practices. Practice guidance from COBIT and COSO are cited as 30 times more common among the top performing organisations to inform, guide and adjust information security and audit practices.
  • The Government of Alberta, Canada, uses COBIT as the basis for its Information Management and Technology (IMT) Governance Framework to drive a majority of the government-wide IMT policy instruments, such as policy directives, standards and guidelines.
  • Text and figures from COBIT 4.1 are used in a white paper titled U.S. Department of Homeland Security (DHS), Information Technology Governance, provided by the US Department of Defense.
  • The US Postal Service was the first federal agency required to comply with Securities and Exchange Commission rules that enforce the US Sarbanes-Oxley Act. IT governance frameworks, including COBIT, were used to conduct an assessment of IT policies, processes and controls that resulted in a list of gaps that will be addressed as key controls are developed.
  • The Information Technology Department of the Government of Kerala, a state in India, issued an order accepting COBIT as the standard for IT governance as part of its national e-governance plan.
  • The Superintendencia Financiera de Colombia, the entity that regulates the banks in Colombia, has adopted and requires the use of COBIT as a reference model for its evaluations, particularly of those entities they supervise, ensuring that these entities, banks and all other financial bodies also use COBIT.
  • The Financial Entities General Superintendence in Costa Rica (SUGEF) issued a regulation on information technology (SUGEF 14-09) for institutions under its supervision. Financial institutions must comply with a minimum maturity level of 3 on 17 of the 34 COBIT processes and must have an annual assessment of its IT management framework with an external auditor.
  • The National Audit Office of the Lithuanian Republic is using COBIT for auditing the IT activities in the government sector.
  • According to the US Office of the Inspector General (OIG), COBIT Security Baseline was one of two tool sets for information security programme reviews that were compatible with the National Institute of Standards and Technology (NIST) Framework for performing Federal Information Security Management Act (FISMA) evaluations.

Endnote

1 From an ancient Cossack folk song, adapted by Pete Seeger in 1955 into ‘Where Have All the Flowers Gone?’
2 Then, actually still called the EDP Auditors Association. The name changed to ISACA in 1994.
3 The council was made up of Svein Dovran, Bjorn Hamplund, Henning Walmar, Gary Hardy, Serge Yablonski, Archie Watt and Erik Guldentops.

Erik Guldentops
is an executive professor at the Management School of the University of Antwerp, Belgium, where he lectures on IT security and control, IT governance, and risk management. He worked for many years at SWIFT (Society for Worldwide Interbank Financial Telecommunication), where he held the positions of inspector-general and director of information security and worked with its board and executive management on the subjects of governance, risk, security and control. He held several positions in ISACA and the IT Governance Institute between 1989 and 2007 and helped in the development of COBIT and Val IT. He recently chaired a panel of professors that reviewed the master of IT audit programmes in four universities in The Netherlands.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.