You are on page 1of 24

IT Governance & The

COBIT 5.0 Framework


Brought to you by: McGladrey
Introduction
Ryan C. Hay, CISA, CISSP, ITIL

- My Background
- Current role
- My views on IT governance & COBIT 5.0
- Expectations from this presentation
About McGladrey
McGladrey is the fifth largest U.S. provider of consulting, assurance and tax services, with
nearly 6,700 professionals and associates in more than 75 cities nationwide. McGladrey is a
licensed certified public accountant (CPA) firm, and is a member of RSM International, the
sixth largest global network of independent consulting, accounting, and tax firms.
As a full-service firm, McGladrey offers the scale, industry insight, thought leadership and
multidisciplinary range of services clients require.

http://mcgladrey.com/
Our Agenda
The Purpose Behind Governance

Using Frameworks & Methodologies

COBIT 5 Overview

Overview of McGladrey COBIT 5.0 Assessment


The Purpose of
Governance
The Role of Governance

http://www.youtube.com/watch?v=IGQmdoK_ZfY

How appropriate ….
The Role of Governance

The purpose of this video is to show that we all get stuck in


our day-to-day lives, and there needs to be a system in place
that can detect the “gorilla”. This is commonly referred to as
governance.

Lets see it again


http://www.youtube.com/watch?v=IGQmdoK_ZfY
The Role of Governance
The Value of Governance
• Ability to look at things holistically, see the bigger picture
• Helps ensure that the process is followed
• Removes barriers from getting activities accomplished
• Can aide in making the tough decisions
• Ensure compliance with standards and regulations
• Increases visibility and awareness to a project
Using Frameworks
& Methodologies
Pop Quiz
Does this framework look familiar to anyone?

Anyone, Anyone ….
Framework Architecture
The top layer typically refers to what is
delivered from the framework to
external groups.

The middle sections refer to internal


actions/activities/behaviors that build
upon the foundation for delivery.

The bottom indicates a “Foundation” layer –


qualities/capabilities that are key to the That’s correct:
framework and its success. This is the IIA Audit Competency Framework
Other Popular Frameworks
Standards Governance
Management frameworks typically
SDLC focus on holistic
oversight across an
organization or group.
Operations

Standards frameworks
typically provide
Governance specific items that
must be in place to
maintain a level of
compliance.
Operational frameworks focus more on Management frameworks typically focus on how
providing guidance on how to get things to manage specific activities across a lifecycle for
done on a day-to-day basis. delivering a capability/product.

This isn’t black and white, many of these start to bleed over into other layers as each
organization tries to enhance their scope to cover just about everything.
COBIT 5 Framework
Overview
Principles of COBIT

The COBIT 5 framework


seeks to instill a number of
core principles within the
organization to enable
success.

Lets review each …

What guides each of these principles?

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.


Source: COBIT® 5, figure 15 – COBIT 5 Governance and Management Key
Areas. © 2012 ISACA® All rights reserved.
Taking a deeper dive …
COBIT 5 Overview
COBIT Reference Model
COBIT has 37 different domains that
each focus on how to run/manage
capabilities across IT
COBIT Domains
• Evaluate, Direct, and Monitor (EDM): These governance processes deal with the stakeholder
governance objectives (value delivery, risk optimization, and resource optimization) and include
practices and activities aimed at evaluating strategic options, providing direction to IT and monitoring
the outcome.
• Align, Plan, and Organize (APO): Provides direction to solution delivery (BAI) and service delivery and
support (DSS). This domain covers strategy and tactics, and concerns identifying the best way IT can
contribute to the achievement of the business objectives. The realization of the strategic vision needs
to be planned, communicated and managed for different perspectives. A proper organization, as well as
technological infrastructure, should be put in place.
• Build, Acquire, and Implement (BAI): Provides the solutions and passes them on to be turned into
services. To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as
implemented and integrated into the business process. Changes in and maintenance of existing
systems are also covered by this domain, to ensure that the solutions continue to meet business
objectives.
• Deliver, Service, and Support (DSS): Receives the solutions and makes them usable for end users. This
domain is concerned with the actual delivery and support of required services, which include service
delivery, management of security and continuity, service support for users, and management of data
and operational facilities.
• Monitor, Evaluate, and Assess (MEA): Monitors all processes to ensure that the direction provided is
followed. All IT processes need to be regularly assessed over time for their quality and compliance with
control requirements. This domain addresses performance management, monitoring of internal
control, regulatory compliance and governance.
Evaluating COBIT 5
General Benefits of COBIT 5: Potential Risks of COBIT 5:
• Most holistic framework for • Is it too much?
managing IT (or any other function • Has a few gaps, for instance – how to
for that matter) manage data/information.
• Borrows from many other leading- • Does it detract focus from core
practice frameworks (PMI, ITIL, capabilities of IT?
COSO…)
• Provides a wealth of knowledge and
documentation for improving
capabilities and processes.
Applying COBIT to IIA
The COBIT Framework can provide the internal audit function with key tools
to making life easier.
• Provides holistic guidance for how to manage IT
• Brings consistency to how daily work and projects are managed and
delivered
• Helps identify exceptions to standard process, and address accordingly
• Provides visibility to less-mature capabilities, so mitigating controls can be
put into place
McGladrey COBIT 5
Assessment
COBIT Domain Maturity
The process is continuously improved to meet relevant current and projected
5 Optimizing
business goals.

4 Predictable The process operates within defined limits to achieve its process outcomes.

3 Established The process is implemented using a defined process that is capable of


achieving its process outcomes.

The previously described performed process is now implemented in a managed


2 Managed fashion (planned, monitored, and adjusted) and its work products are
appropriately established, controlled and maintained.

1 Performed The implemented process achieves its process purpose.

The process is not implemented or fails to achieve its process purpose. At this
0 Incomplete level, there is little or no evidence of any systematic achievement of the process
purpose.
COBIT Assessment
McGladrey can help your organization quickly assess the IT organization across the COBIT
framework to provide a holistic view on identifying and improving the capabilities of IT.
COBIT Assessment
Our experts can help provide specific detail to the scores, findings and recommendations
across each COBIT domain – giving your organization a detailed roadmap for improving
capabilities.
Questions

ryan.hay@mcgladrey.com

You might also like