Coopers & Lybrand in the Netherlands has 100 EDP auditors in computer assurance services, many who already have in depth knowledge of COBIT and are putting it to use for clients. For many clients we use the following phased approach:
- Focus. Identify business drivers for IT and assess the level of business risks involved with the deployment of IT.
- Evaluate. Assess threats and vulnerabilities, identify lacking or inadequate control measures and determine root causes.
- Address control deficiencies. Agree upon action plans and apply internal control improvements.
- Monitor. Ensure continuous improvement through the implementation of adequate monitoring of the internal control measures put in place.
A unique benefit of COBIT is that Information Technology Infrastructure Library (ITIL) is one of the global standards on which COBIT is based. Developed in the UK, ITIL is popular in many countries. In the Netherlands, auditors who are members of ITIMF.EDP, an ITIL user group, frequently are asked to audit IT processes created using ITIL publications. COBIT provides an excellent framework to perform these audits.
We have implemented COBIT for several Coopers & Lybrand clients and are strong supporters of the framework. Our staff uses it to develop improvement programs for client IT departments. The detailed control objectives help us better assess client systems management processes.
Examples of how COBIT was successfully used in business situations include:
Airline company. The client asked us to measure effectiveness and efficiency of its IT department. We first measured user satisfaction and, after analyzing the findings, performed a detailed review of IT processes based on COBIT guidance. As a result, procedures in the IT department were significantly improved.
Network services supplier. A network provider implemented systems management based on ITIL. We were asked to perform a third party review and report the results to clients of the provider. Our staff used the COBIT framework to perform the audit.
Not-for-Profit. Based on COBIT's principles and ITIL we conducted an improvement program for the IT department.
Chamber of Commerce. Several mergers and significant business changes had affected the organization's IT environment. We used the COBIT framework to implement an appropriate improvement program.
Bank. A Dutch bank asked us to document baseline controls for several platforms. We described baseline controls for RS/6000, Windows NT servers and several network components. For the systems management part of the baseline controls we consulted the detailed control objectives from COBIT.