Control Objectives for Information and Related Technology
CobIT — Control Objectives for Information and Related Technology — is a comprehensive model for enterprise control of the IT environment /IT Governance. CobIT is generally accepted as de facto guidance for Sarbanes-Oxley Act compliance, the US Public Company Accounting Oversight Board (PCAOB), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, and the Federal Financial Institutions Examination Council's (FFIEC), Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Controller of the Currency — all require IT audits.
CobIT is a comprehensive set of resources that contains all the information organisations need to adopt an IT Governance and control framework. It is a framework that will guide management in deciding on the level of risk to accept, the most appropriate control practices and the path to follow when it is necessary to improve the level of control.
CobIT will help with linking specific IT control models to overall business control models (e.g. COSO, Coco, Cadbury and King). CobIT defines high-level and detailed Control Objectives for the 34 IT process that are grouped in four domains. CobIT addresses the business objectives in a process-orientated manner.
The 34 IT processes guide management to selecting Critical Success Factors, the most important issues or actions that management need to achieve control over so that IT can be effective in enabling the entity's business objectives.
CobIT provides process framework for information system governance and allows organisations to develop a control structure, to link its IT objectives with business requirements. CobIT breaks down the control structure into four major domains and 34 sub domains:
- Planning & Organisation
- Acquisition & Implementation
- Delivery & Support
With the Critical Succes Factors (CSF) in mind, CobIT guides management to deciding on Key Goal Indicators, those measurements that indicate the required outcome from the CSFs have been achieved. Therafter, management is directed to determining meaningful measures that indicate how well the IT processes are doing in enabling the goals set by IT management, to be achieved.