COBIT Case Study: Grupo Bancolombia Implements COBIT to Help Ensure Compliance and Improve Processes 

 

Abstract

Although Grupo Bancolombia already had internal control policies and procedures in place prior to the establishment of the US Sarbanes-Oxley Act, the financial group went a step further by adopting and implementing an internal control management system to help ensure compliance.

To aid in the design and assessment of the internal control system, Grupo Bancolombia implemented Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and COBIT®, which was developed by ISACA, and is available as a free download from www.isaca.org/cobit.

Background

Grupo Bancolombia is a financial group that operates multiple banking services including investment, factoring, fiduciary, leasing, renting and stock market, and it is the first bank in Colombia for assets and market participation. Founded in 1875, Bancolombia operates in Colombia and El Salvador; has subsidiaries in Panama, the Cayman Islands, Puerto Rico and Peru; and has an agency in Miami, Florida, USA. Approximately 650 of the group’s 17,000 employees work in information technology (IT).

Process

Grupo Bancolombia recognized that efficient and secure technology improves overall efficiency, profitability, growth, reliability and compliance. To help achieve its goal of enterprisewide process integration, the group needed a framework that would assist in numerous areas needing improvement—a disjointed IT process with little governability, audit gaps, a lack of documentation and a reactionary approach. COBIT was chosen to help Grupo Bancolombia address its challenges and meet business requirements.

The board of directors of Grupo Bancolombia adopted COBIT as a reference model based on three premises:

  1. COBIT is used worldwide by auditors to verify adherence to and compliance with IT internal controls.
  2. COBIT helps to ensure compliance with the US Sarbanes-Oxley Act.
  3. COBIT provides a proactive approach to improving technology processes and services.

In addition, COBIT was chosen because it facilitates a balance between compliance and performance and because it complements COSO, the group’s organizational internal control model. Grupo Bancolombia utilizes COBIT to proactively address internal and external audits and operating risk compliance.

Conclusion

Grupo Bancolombia has achieved excellent results using COBIT. There is now a shared vision, a unique language, alignment between business strategic planning and IT strategic planning, clarity in roles and responsibilities, a stronger sense of teamwork, and the knowledge of strengths and weaknesses. Several initiatives are still underway, including consolidating all IT throughout the enterprise.