The Control Objectives for Information and related Technology (COBIT) is a good framework strategy to help an organization maintain standards and develop a system of IT governance. COBIT is a common methodology used by many companies in order to develop a systematic means to meet compliance laws.
COBIT consists of 34 IT processes and is a way for an organization to use in its attempts to "balance risk and control in a cost-effective manner" (Pederiva, 2003). With newer regulations such as SOX, HIPAA and other government imposed laws, compliance is a necessary item for organizations to think about, because the costs associated with non-compliance can come with a high price tag.
These types of legislation have led businesses to have to cope with several quandaries, and many of them are associated with change and the difficulties associated with the task of enacting these changes. Conforming to new laws and regulations entails a lot of alterations, and it is probable more legislative changes are on the horizon and being prepared by having established control processes can't hurt.
How COBIT assists with compliance
As a part of making changes in order for a company to align with the law and be in total compliance, companies can utilize the COBIT Framework; it is a tool that can assist in both internal audits and corrective action.
Using COBIT can help lead businesses towards the path of regulatory compliance because it systematically outlines the steps a business needs to take to be in accordance with legislative constraints.
Fundamentally COBIT's structure offers best practices for users to measure their own business processes. Subsequently they can identify, improve and/or modify any weaknesses in the various IT control areas that are discovered.
COBIT and internal controls
In Section 404 of SOX there is a mandate for the creation and maintenance of feasible internal controls when it comes to organizational data and information. Due to this mandate, companies have to test their internal control processes and meet this SOX requirement and pass an external audit.
Since internal controls affect everyone across an organization at all levels, internal auditing, monitoring and control is an ongoing process businesses need to engage in to remain compliant. To continue remaining compliant, this is going to need to be revisited on a regular basis to ensure conformity to laws and regulations. When faults are found, the company will need to take corrective action, or be penalized when it fails an external audit. Ideally, the overall goals of organizational quality and compliance that meets mandates such as SOX, specifications can be accomplished through use of COBIT methodologies.
Another benefit to using COBIT is it helps conduct internal audits because the fundamentals of internal auditing closely examine the organization's capacity to be in compliance. After the audit is conducted, the processes then pave the way for subsequent corrective action to occur in the identified problem areas that may have gone by unnoticed otherwise.
In addition, since the very nature of change is often led with resistance, confusion or anxiety, COBIT can help alleviate some of those factors because it is very methodical. Those in charge of leading the change can follow the steps and present these steps to the rest of the organization to follow.
Change is easier when the chaos factor is eliminated and COBIT can help a company meet its compliance objectives and promote change at the same time. When it comes to compliance, companies have no choice but to enact change and the swifter and smoother the process goes, the easier the organizational change will be.
COBIT and business strategy
Companies who use COBIT as a means to help implement IT governance often find that this also helps their overall business strategy. Compliance does not come without a hefty price tag, but if companies can marry their strategy and governance using IT, it becomes a win-win situation. Using a COBIT framework can help bring both strategy and compliance to fruition. This benefit is a good motivator because when used strategically, technology gives businesses a competitive edge, and those companies who can successfully obtain this advantage and meet compliance needs at the same time are able to bring down the high costs of governance.
While there are other frameworks, COBIT framework is an established methodology that can help provide an organization with the tools necessary to promote a better system for IT governance in an organization.
Additional reference: Pederiva, Andrea, "The COBIT Maturity Model in a Vendor Evaluation Case", Information Systems Control Journal, Volume 3, 2003