First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The ISACA has traded in COBIT 5 for COBIT 2019 (Part 3 of 3)

COBIT 2019

The ISACA has traded in the 7-year old COBIT 5 for COBIT 2019. This is the last of a 3-part series examining this change. Read part 1 here and part 2 here.


Enterprises have internal and external stakeholders with sometimes different and competing drivers and needs. Enterprises must prioritize these needs, develop goals, and transform goals into actionable strategy using an effective enterprise governance of information and technology (EGIT) system, like COBIT 2019. To that end, COBIT 2019 maintains a clear distinction between governance and management, and allocates to each, unique and exclusive spheres of responsibility and control, or domains. COBIT 2019 has 5 domains with 40 objectives. To achieve the objectives, COBIT 2019 includes 231 practices and 1,202 activities. Read more about these in Information Technology PolicyPro.

The glossary below is a springboard to further examine core elements of COBIT 2019:

  1. I&T – Refers to the technology and information processing which enterprises use to achieve their goals, regardless of where these processes reside in the enterprise—importantly, I&T is not limited to the IT department.
  • Goals cascade – Stakeholder drivers and needs are critical to an EGIT because stakeholder drivers and needs cascade into successively refined goals and strategy, ultimately culminating in governance and management objectives.  (See Figure 1 – Goals Cascade below).
  • Components – Are the different types of things which impact a governance system (enablers under COBIT 5).
  • The balanced scorecard (BSC) – Is a widely-used system for communicating, prioritising and monitoring goals. The BSC classifies goals into 4 dimensions or perspectives: financial (related to financial performance and effective resource use); customer (related to customer value, satisfaction and retention); internal processes (related to efficiency and quality) and growth (related to technological growth and development). As explained further below, COBIT 2019’s enterprise goals cover the 4 dimensions.
  • Focus areas, design factors and design factor impacts are new to COBIT 2019. (Read more below).

Focus areas

COBIT 2019 introduces focus areas. A focus area is a governance topic, domain or issue that a collection of governance and management objectives and their components can address. For instance, objectives can address cybersecurity, cloud computing and privacy issues, and as such, these three issues are focus areas. For instance, as explained in part 2, the purpose of APO14 Managed Data, is to manage data across its lifecycle. Therefore, APO14 is an objective that could address the focus area of privacy.

The ability to add an unlimited number of new focus areas based on community involvement, is one example of what makes COBIT 2019 open-ended.

Design factors

COBIT 2019 introduces design factors. Design factors influence the design of an enterprise’s governance and management system. There are currently 12 design factors:

  1. Enterprise strategy: See Information Technology PolicyPro for more.
  2. Enterprise goals: The 13 enterprise goals are structured along the 4 BSC dimensions described in the glossary above. Table 1 provides a select example of a goal for each dimension:

Table 1 – Enterprise Goals

  Dimensions Enterprise Goals (EG) Select Goals
1. Financial EG01 to EG04 EG04 – Quality of financial information
2.   Customer EG05 to EG07 EG07 – Quality of management information
3.  Internal EG08 to EG11 EG10 – Staff skills, motivation and productivity
4.   Growth EG12 to EG13 EG12 – Managed digital transformation programs
  1. Risk profile: There are 19 I&T-related risk categories to which enterprises are exposed. The enterprise’s risk profile indicates which areas of risk are exceeding its risk appetite. Risk categories include number 11 – Logical attacks (malware and hacking, for example), number 10 – Software failures, and number 12 – Third party/supplier incidents (here COBIT 2019 forces enterprises to consider contemporary issues like supply chain risks, for example).
  1. I&T related issues: The 20 I&T factors, lettered A through T, help organizations identify the I&T issues which it currently faces, or in other words, identify which risks have materialised. These may include factor G, which includes unauthorised spending by user departments outside approved IT budgets.
  1. Threat landscape: See Information Technology PolicyPro for more.
  1. Compliance requirements: See Information Technology PolicyPro for more.
  1. Role of IT: See Information Technology PolicyPro for more.
  1. Sourcing model for IT: COBIT 2019 has evolved to expressly consider contemporary IT sourcing models. There are 4 sourcing models: (i) Outsourcing – using a third party to provide IT services; (ii) Cloud – using cloud providers to provide IT services; (iii) Insourced – meaning that the enterprise provides its own IT services and staff; and (iv) Hybrid – a mix of the other three models. The hybrid model is a common one. For instance, an organization may outsource the help desk, use software from cloud service-providers, but still maintain an IT department in-house to handle management responsibilities and some operational activities like adding new users.
  1. IT implementation methods: This is a further indication of COBIT 2019’s evolution to address modern realities. Enterprises may adopt one of 4 implementation methods: (i) Agile – using Agile development working methods for software development; (ii) DevOps – using DevOps for software building, deployment and operations; (iii) Traditional – using the classic approach to software development (waterfall) and separating software development from operations; and (iv) Hybrid – using bimodal IT, a mix of traditional and modern IT implementation.
  1. Technology adoption strategy: See Information Technology PolicyPro for more.
  1. Enterprise size: See Information Technology PolicyPro for more.
  1. Future factors – This factor is another indicator of COBIT’s open-endedness.

Impact of design factors

Design factors may have 3 types of impacts on a governance system for enterprise I&T: (i) management objective prioritization (ii) components variation and (iii) focus area specification. (Read more in Information Technology PolicyPro).

Goals cascade

COBIT 2019 has thoroughly updated, consolidated and clarified the goals cascade. It helps to visualise goals cascade as a series of waterfalls and their associated plunge pools (a plunge pool is the pool of water beneath a waterfall).

Goals cascade begins with stakeholder drivers and needs, which enterprises must ultimately transform into actionable strategy. Stakeholder drivers and needs cascade to enterprise goals, which is a design factor, as explained above. Next, enterprise goals cascade into alignment goals. Alignment goals were IT-related goals in COBIT 5. The renaming clarifies that these are not solely within the purview of the IT department. Then, alignment goals cascade into governance and management objectives. (See Figure 1 below)

Figure 1 – Goals cascade

 ———- cascade into

———- cascade into

 ———- cascade into

Beyond the scope of this series of articles

ISACA’s COBIT 2019 publications provide more detailed guidance on governance system design, implementation, and performance management, all of which are beyond the scope of this article and are further explained on ISACA’s website.

Information Technology PolicyPro already includes coverage of strategies to help you introduce an effective EGIT system or improve the one you have. Read more about COBIT in the Introduction chapter to the manual. The manual will be updated on a rolling basis to reflect COBIT 2019.

Policies and procedures are essential to good governance and internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary on EGIT, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Information Technology PolicyPro here.

Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons)

Apolone Gentles is a CPA,CGA and Ontario lawyer and editor with over 20 years of business experience. Apolone is leveraging 20 years of business and accounting experience to build a commercial litigation practice with an emphasis on construction law. She has held senior leadership roles in non-profit organizations, leading finance, human resources, information technology and facilities teams. She has also held senior roles in audit and assurance services at a “Big Four” audit firm. Apolone has also lectured in Auditing, Economics and Business at post-secondary schools. Read more here

Latest posts by Apolone Gentles, JD, CPA,CGA, FCCA, Bsc (Hons) (see all)

, , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.