The Central Bank of the Republic of Armenia has approximately 700 employees in 20 departments. With the importance and use of information technology (IT) growing every year, the bank decided it was important to have a uniform method—and a common business language—for internal control and IT audit. Previously, the large IT department had been using different IT solutions, instead of one cohesive method.
In 2003, the bank’s board of directors decided to implement Control Objectives for Information and related Technology (COBIT), the globally accepted set of good practices from the IT Governance Institute that all organizations can use to ensure that their IT is helping them achieve their goals and objectives. The board selected COBIT after conducting global research and finding that COBIT was well known and internationally respected.
Now, the organization’s IT audit division uses COBIT when performing audits, and risk assessments are conducted according to COBIT processes.
Whenever an IT process or process group is audited, the IT audit division compiles a report and presents it to the board. Thus, the board is well informed on the findings and makes decisions that take into account the IT audit division’s recommendations.
In 2008, the chief auditor, who previously was the head of IT audit division, became a board member, giving IT a significant presence in the boardroom.
“This is a very big plus because many companies do not have any IT-savvy board members,” said Komitas Stepanyan, head of the IT audit division. “The lack of an IT presence affects many of their IT-related decisions and makes it more difficult to manage IT.”
The Central Bank of the Republic of Armenia’s main goals were to achieve a higher maturity level for IT processes, control IT risks and manage IT investments. Before implementing COBIT, the company assessed IT process maturity levels and found that many processes had maturity levels of 2. At the end of 2008, after implementing COBIT, the company reassessed the maturity and found that all processes are at maturity levels of at least 3 and often 4 (the results ware validated by the external auditors as well).
In the years since the bank began using COBIT, it has focused most heavily on database management, problem management and IT project management processes. By the end of 2010, it will have completed all processes. Once finished, the bank will analyze its efficiencies and expects to find great improvements compared to pre-COBIT levels. Additionally, the bank will begin pursuing certification for its IT auditors, IT managers and security managers [currently the bank has one Certified Information Systems Auditor (CISA) and one Certified Information Security Manager (CISM).