COBIT Case Study: Bahrain Civil Service Bureau 

 

Abstract

The Bahrain Civil Service Bureau (CSB) is responsible for managing the Human Resources and payroll for the staff of all ministries in the kingdom. After the government of Bahrain issued a directive requiring all government entities to adhere to internationally recognised standards that are appropriate for their service fields, CSB analysed information technology (IT) control and governance standards worldwide and recognised that Control Objectives for Information and related Technology (COBIT) provided a thorough, customizable framework for IT governance and control. COBIT has been used to strengthen the Bahrain CSB’s IT infrastructure, and it is now the baseline for all the IT processes. IT governance is seen as a long-term project and the IT governance processes are ongoing at the CSB.

Background

CSB is a Bahrain government organisation with 250 employees. It acts as the consulting agency for other government ministries for human resources and other related activities. Another main role of CSB is running the payroll for the staff of all ministries in the kingdom. CSB has 10 directorates, including MIS (management information systems), Quality, Administration and Finance, and Recruitment.

Process

As per the Bahrain government’s directives, all of the government establishments are required to follow internationally recognised standards according to their service fields. As a result, CSB management decided to improve and strengthen its IT infrastructure through proper risk management and the application of controls wherever necessary. CSB has a human resources (HR) management application that was purchased from a third- party vendor, but the maintenance is done in-house. CSB performed extensive research into IT control and governance standards and learned that COBIT is the most comprehensive, globally respected framework that can be customised for each organisation that uses it.

Senior management provides direction and approval of the ongoing procedures in implementing controls and risk management activities. By hearing about the benefits of COBIT through internal seminars, presentations and discussions, senior management agreed that COBIT was the internationally recognised standard best suited for CSB. Senior managers were especially impressed with the guidelines given by the COBIT framework to achieve CSB goals. Thus, to establish and improve the IT environment, management decided to comply with COBIT.

Members of CSB staff studied the COBIT audit and management guidelines in detail, then analysed the existing internal controls using the COBIT framework as the baseline. A maturity model matrix was prepared, which showed the strong and weak points in the current CSB environment. Then, COBIT controls were applied to eliminate the weak points. This procedure was performed successfully and is now an ongoing process.

At CSB, the areas receiving the most control-related attention were software development, payroll management and database management. For software development, proper test plans were not maintained. Testers gave arbitrary data and the results were not properly documented. In addition, testers had access to the production area. By applying the COBIT controls effectively, these issues were properly handled. For payroll management and database management, access control was the main issue. Now proper access control systems are implemented. Overall risks are reduced by implementing COBIT controls.

Board Involvement
The board of directors is responsible for developing IT plans for the future. Members of the board meet bi-weekly to analyse the issues, if any, and the ongoing IT-related activities. The directors also prepare the budget for the future, evaluate the potential risks and decide how these risks can be overcome.

Conclusion

For CSB, the goal of implementing COBIT included establishing a strong IT environment with fewer weak points. The HR application and payroll processes are expected to be error-free, and there was a need for greater assurance of business continuity. As a result of utilising COBIT, the controls implemented are well suited for CSB’s IT environment. Payroll, database and software development activities are now running with fewer risks.

By implementing appropriate control procedures based on COBIT, overall risks are reduced. As CSB continues to develop, implement and measure IT governance-related activities over time, COBIT will continue to be used as the baseline for all the IT processes. CSB has found COBIT to be a very effective framework for implementing and improving IT governance.