Posted by: David Schneier
Audit, COBIT, GLBA, ISACA, ITGI, NCUA, Regulatory Compliance, risk, risk assessment, Risk IT, SOX, Val IT
I have an associate who has an addiction to certifications. He’s one of those “too smart for his own good” geniuses who often decides to change his career course and starts by obtaining whatever accreditation or cert is needed to do so. When he lists all of these accreditations and certs after his name it looks as if though someone tossed their alphabet soup lunch. But his logic is that having the appropriate governing body’s seal of approval is akin to knowing the secret password needed to gain access to the right job.
Sometimes I think COBIT is used much the same way.
For those of you who aren’t familiar with COBIT, it’s a framework that has revolutionized the world of governance and compliance for the better. It was the only beacon in the vast, dark ocean of SOX insanity a few years back, providing much needed guidance for corporate America to follow and continues to serve as the best source when designing controls within the infrastructure. It’s comprehensive, well organized and when understood and applied properly, it can be very effective.
But it’s not akin to the Bible and it’s definitely not an IT audit framework or program.
And yet I often hear fellow practitioners dropping COBIT references like it somehow validates them as legitimate members of the IT audit club (which by the way is called ISACA and only requires an annual membership fee).
Just this week, I heard that someone discussed conducting a COBIT-based audit when asked about their approach to conducting an IT general controls (ITGC) audit. Two weeks ago, my partner asked me about an RFP we received in which the institution wanted to know if we based our ITGC audit on COBIT or any other recognized framework. It’s gotten to the point where the term “COBIT-based” has become ubiquitous within the IT audit domain. Years ago during the aforementioned SOX insanity, there was a running joke with a client in which every sentence was laced with a SOX reference (e.g. Good SOX morning, Happy SOX New Year, etc.). Now it seems as if though COBIT has replaced SOX in that regard.
Um, has anyone actually read the framework? I mean actually sitting down and reading it from executive summary through to ME4 (the last of the control objective areas in the PDF). And how many people have actually tried to implement COBIT as it’s intended to be used? It’s a mountain of information that requires a ton of analysis and customization prior to being implemented. And it’s not intended for organizations both big and small. For many of the community banks and similarly sized credit unions that I commonly work with, it’s simply overkill.
But again, it’s not an audit framework and it’s not an audit program. And it’s entirely possible to build out an IT controls framework and never once rely upon COBIT to do so.
By the way, for those of you who aren’t familiar with the IT Governance Institute (ITGI), it’s a research think tank that exists to be the leading reference on IT governance for the global business community. In the time since COBIT made its inroads into corporate America and the audit vernacular, ITGI has amped it up a notch. Now they also publish Val IT and more recently Risk IT.
So now I’m bracing for the onslaught of risk assessments that are “Risk IT” based. But I never had a problem conducting a risk assessment before this standard existed and I doubt I’ll crack it open when conducting one in the near future. Did we really need this? And how will this drive the audit and compliance industry?
Frameworks have a place in this world, don’t get me wrong. But it’s like when I bought my Roto Zip hand saw a few years back; I walked around my house looking for things I could use it for rather than simply using it when it made sense. COBIT is awesome and it’s helped provide clarity in many, many ways. But it isn’t the official book of record for audit and compliance within IT; it’s just another tool in the toolbox. I realize that on the planet of ISACA that’s akin to blasphemy, but I offer no apologies. I refuse to build an audit program for a community bank that’s supported by two IT resources based on the 200 plus control objectives in COBIT.
And on that note I bid you a good COBIT day.