First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

COBIT evolves as technology does

CobiT (“Control Objectives for Information and Related Technology”) was introduced in 1996, and more widely adopted by the business community in the United States in 2002, becoming the framework for evaluating internal controls. The newest issue of ITPP contains revisions and updates to CobiT as it continues to evolve to reflect the role of IT in business.

CobiT 5 was released in 2012. It takes a higher-level governance approach, focusing on stakeholders and their needs. It incorporates the internal control focus of earlier versions of CobiT but goes beyond them. A diagram of the CobiT 5 principles is shown below.

Differing from other formats for internal control, CobiT focuses on information technology as it functions in a business. The approach is holistic, integrating the needs of regulating an organization internally with the priorities of a thriving business. The two objectives, that is, running a smoothly-operating organization within a successful business are of course dependent on each other, though integrating the principles therein is not necessarily clear.

The guidelines within CobiT seek to harmonize these operations. As technology in particular evolves so rapidly, new changes to the mandates in CobiT keep businesses functioning well, making the most of information technology’s tools. Learn more in ITPP’s latest update.

How can I use ITPP to. . . understand CobiT 5?

Information Technology PolicyPro (ITPP) published by First Reference Inc. includes a succinct introduction to CobiT 5 (as well as our own Canadian IT-control model). You may find it helpful to review it to gain an overview of the new CobiT 5 IT control model, released in 2012.

CobiT 5 divides its 37 governance and managing processes into five broad categories (called “domains”). Those enabling processes are mapped to 17 IT-related goals and to process goals and metrics.

For example, the first domain, “Evaluate, direct, and monitor”, relates to board-level governance over enterprise information technology, the other four domains relate to management of enterprise information technology.

The 17 IT-related goals in the CobiT 5 model (as shown below) are based upon the “balanced scorecard” framework that divides goals between financial, internal processes, customer-based, and learning and growth.


  1. Alignment of IT and business strategy
  2. IT compliance and support for business compliance with external laws and regulations
  3. Commitment of executive management for making IT-related decisions
  4. Managed IT-related business risk
  5. Realized benefits from IT-enabled investments and services portfolio
  6. Transparency of IT costs, benefits and risk

  7. Delivery of IT services in line with business requirements
  8. Adequate use of applications, information and technology solutions
  9. Internal

  10. IT agility
  11. Security of information, processing infrastructure and applications
  12. Optimization of IT assets, resources and capabilities
  13. Enablement and support of business processes by integrating applications and technology into business processes
  14. Delivery of programs delivering benefits, on time, on budget, and meeting requirements and quality standards
  15. Availability of reliable and useful information for decision making
  16. IT compliance with internal policies
  17. Learning and Growth

  18. Competent and motivated business and IT personnel
  19. Knowledge, expertise and initiatives for business innovation

Source: CobiT 5 A Business Framework for the Governance and Management of Enterprise IT, ISACA, 2012, page 52.

ITPP release 2012-03

With this ITPP release we start the process of converting the cross-references in this book from CobiT 4.1, (published in 2007) to CobiT 5, (published in 2012). Previously, every policy was cross-referenced to CobiT 4.1’s objectives. CobiT 5 takes a somewhat different approach, so the new references are to CobiT 5 “processes” and “IT-related goals.”

CobiT is published by the Information Systems Audit and Control Association (ISACA). It is an authoritative standard for IT controls, while the latest iteration expands the ambit to include governance and enterprise risk management.

This release consists of a replacement of the Introduction to ITPP (where the discussion of CobiT is updated), as well as to all of Chapter 1– Planning, which includes the following policies:

IT 1.01 – Strategic Planning identifies critical elements of the IT strategic plan and ensures that IT planning is aligned with the organization’s strategic goals.

IT 1.02 – Tactical Planning deals with the annual planning cycle and ensures that it is consistent with the strategic plan.

IT 1.03 – Implementation Planning provides overall policies for implementing and modifying systems and applications.

IT 1.04 – Site Planning addresses selection and preparation of a site for an IT installation.

IT 1.05 – Risk Assessment provides policies for dealing explicitly with risk identification and risk assessment.

IT 1.06 – Risk Management addresses procedures to review and manage IT risks.

The material has been updated and freshened, and cross-references and links have been replaced and updated.

Jeffrey D. Sherman

Follow me

Jeffrey Sherman

Chief financial officer, author, lecturer and professor focussing on corporate finance at Atrium Mortgage Investment Corporation, Canadian Mortgage Capital Corp., Trimel Pharmaceuticals Corporation, and Anagram Services
Jeffrey D. Sherman, BComm, MBA, CIM, FCA, is a director or CFO of several public companies and has had over 20 years of executive management experience. He is the author of Finance and Accounting PolicyPro, Not-for-Profit PolicyPro and Information Technology PolicyPro (guides to governance, procedures and internal control, all published by First Reference and the CPA). Read more
Follow me

, , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.