Cobit, formally known as the Control Objectives for Information and Related Technology, is a framework for governing IT and evaluating internal system controls. The guidelines have been around since the early 1990s, but the need to comply with the Sarbanes-Oxley Act is fostering new interest in them, according to attendees at a conference held in Orlando last week for IT auditors.
Sarbanes-Oxley "is an amorphous document -- it says 'Have controls,' but it doesn't tell you what controls or how to have them," said Scott Thomas, an IT security manager at a large food services company that he asked not to be named. Thomas said Cobit has given his company "a nice, solid proc-ess" to follow on Sarbanes-Oxley compliance, as well as a means for showing external auditors the security controls it has in place.
In plain English
The framework also gives IT and business managers a common language on system controls, according to Thomas. Without Cobit, communication between the business and IT sides at his company often was "apples to oranges," he said at the conference, which was sponsored by the Information Systems Audit and Control Association (ISACA), based in Rolling Meadows, Ill.
Cobit explains in a "nontechnical way" how to build controls around a business process, said Steven Suther, director of information security management at American Express Technologies, the IT arm of American Express Co. in New York. The framework allows "my business folks to actually understand IT proc-esses for the first time ever," Suther said at the conference.
ISACA offers free downloads of the Cobit framework and a related set of guidelines that are specific to Sarbanes-Oxley. Both were developed by the IT Governance Institute, which works in tandem with ISACA and is also based in Rolling Meadows.
A Version 4 update of Cobit was released in December, and a proposed second edition of the more focused IT Control Objectives for Sarbanes- Oxley document has been made publicly available for review and comment. The draft reflects recent controls-related guidance from the U.S. Securities and Exchange Commission and the Public Company Accounting Oversight Board. The comment period ends June 30.
Complements ITIL
The controls management focus of Cobit differs from the data center orientation of the IT Infrastructure Library. But the two frameworks are complementary, and the latest version of Cobit includes improved integration with ITIL, said Robert Stroud, an IT service management evangelist at CA Inc. and a contributor to Cobit.
ITIL is focused on IT proc-esses, such as how a help desk handles trouble tickets submitted by end users. Cobit takes issues to a higher level inside a company by focusing on meeting business needs, Stroud said. He noted that IT staffers who want to discuss, for instance, how much storage capacity is available aren't necessarily giving business managers the information they really need. "The business just cares about the ultimate service," Stroud said.
Meanwhile, the city of Phoenix is in the planning stages of a Cobit implementation, according to Lance Turcato, the deputy city auditor. Turcato, who previously was involved in a Cobit implementation within the private sector, said the framework can foster a better partnership among IT, business users and corporate auditors.