7/29/2019 Refining IT Processes Using COBIT

1/2

IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L , VO L U M E 3 , 2 0 0 5

Refining IT Processes Using COBITBy Stephen Reingold, CISA

Perhaps the most compelling reason for refining ITprocesses is the potential for IT and business

management to change the way they think about IT

services. As organizations begin to examine and refine IT

processes, there is a good chance that management will start

challenging assumptions and ask questions such as, Why are

we doing this? or Should we be doing something else?

Other benefits of continually refining IT processes include

(but are not limited to):

Increased IT process efficiency and effectiveness

Greater IT process and product quality

Increased strategic and tactical alignment between IT and the

business

Improved productivityWhile an organization can expect to realize one or more of

these benefits, it may actually experience a paradigm shift in

the way it views and delivers IT services.

Best PracticesIT process refinement follows a life cycle approach

(figure 1).1, 2 As seen in figure 1, step 3 feeds back into step 1.

The results of each IT process ref inement evaluation are fed

back into step 1, and the process starts all over again.

How Can COBIT Help?Control Objectives for Information and related Technology

(COBIT) can be used to facilitate each of the three IT process

refinement steps shown in figure 1.

Step 1: Evaluate Current IT Processes

COBITs maturity models define six process maturity levels

against which the maturity (or sophistication) of IT processes

may be gauged. There are six maturity levels, ranging from

nonexistent to optimized. COBITManagement Guidelines

defines these six maturity levels as follows:

0 Nonexistent: Management processes are not applied at all.

1 Initial: Processes are ad hoc and disorganized.

2 Repeatable: Processes follow a regular pattern. 3 Defined: Processes are documented and communicated.

4 Managed: Processes are monitored and measured.

5 Optimized: Best practices are followed and automated.

COBITs maturity models also define six IT management

practice groupings against which the six maturity levels from

Management Guidelines are applied at increasing levels. The

six IT management practice groupings consist of:

1. Understanding and awareness of risks and control issues

2. Training and communication applied on the issues

3. Process and practices that are implemented

4. Techniques and automation to make processes more

effective and efficient

5. Degree of compliance to internal policy, laws and regulations

6. Type and extent of expertise employed

While it is certainly possible to benchmark all of an

organizations IT processes (COBITFrameworkdefines 34 such

processes), one might want to select a smaller, more

manageable number of processes to benchmark.

By objectively assessing each of the selected IT processes

against the six IT management practice groupings, the

organization can quickly see where the IT process strengths

and weaknesses lie.

Copyright 2005 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Step 1:Evaluatecurrent ITprocesses.

Step 2: Identifyprocess improvementgoals.

Step 3: Evaluateimprovementefforts.

Figure 1IT Process Refinement Cycle

Figure 2Assessing Business Risks

IT Management Understanding Training and Implementation Techniques and Compliance ExpertiseDomain: and Awareness Communication of Processes Automation

and Practices

IT Process:

Managechanges

2 3 3 2 1 0

Manage servicelevels

1 4 5 0 0 3

Legend:

0-1 Maturity level: low 2-3 Maturity level: medium 4-5 Maturity level: high

7/29/2019 Refining IT Processes Using COBIT

2/2

IN F O R M A T I O N SY S T E M S CO N T R O L JO U R N A L , VO L U M E 3 , 2 0 0 5

Figure 2 contains an example of how one might graphically

depict the findings. As can be seen from figure 2, it is easy to

determine the strengths and weaknesses of each IT processes.

Considerations for Benchmarking

To kick off the benchmarking activities, the right people

must be involved, including user representative(s), the IT

process owner, members of the IT department and an auditor.

The primary advantage of including auditors in an

organizations benchmarking exercise is that they have a broad,cross-organizational perspective of IT processes.

Step 2: Identify IT Process Improvement Goals

The results of step 1 can be used to identify IT process

improvement goals. Essentially, anything that falls between

maturity levels of 0 and 3 requires some level of improvement.

Users who are most impacted by each of the IT processes

chosen for review should be consulted to determine which IT

processes (and IT process refinement opportunities) are most

important to the organization.

How Much Improvement?

According to COBIT,

The right maturity level will be influenced by the

enterprises business objectives and operating

environment. Specifically, the level of control maturity

will depend on the enterprises dependence on IT, the

technology sophistication and, most important, the value

of its information.

Organizations should not try to move too far up the maturity

ladder at once (e.g., from a 1 to a 4). As indicated earlier, IT

process refinement should be viewed as an iterative process.

Improving IT processes gradually has the additional benefit of

giving organizations an opportunity to gauge progress and

learn from experience. Another major benefit of improvinggradually is that it may reduce the initial resistance that comes

whenever change is introduced.

Step 3: Evaluate Improvement Efforts

In addition to maturity models, COBITManagement

Guidelines defines key goal indicators (KGIs) and key

performance indicators (KPIs) that can be used to measure IT

process refinements:

KGIs tell managementafter the factwhether an IT

process has achieved its business requirements.

KPIs define measures to determine how well the IT process is

performing in enabling the goal to be reached.

KGIs and KPIs can be used to evaluate the result of process

refinement efforts. KPIs are best suited to measuring

improvements in efficiency, since they are process-oriented,

and KGIs are best suited to evaluating improvements in

effectiveness, since they are business goal-oriented.

A manageable number of KGIs and KPIs (between three

and five) for which information is readily available should be

selected. For the three to f ive KGIs and KPIs selected for eachIT process refinement effort, how the selected IT processes

stack up against each of the KGIs and KPIs should be

determined before undertaking the refinement of those

processes.

ConclusionIT process refinement is not only beneficial for improving

process efficiency and effectiveness, but also for changing the

way IT and business managers view IT services. The three-step

model presented demonstrates how an organization can refine

its IT processes, not once, but continually. COBITs maturity

models may be used to facilitate an organizations IT process

refinement efforts.

Endnotes1 META Group; IT Process Refinement and Performance

Measurement: Leveraging Best Practices Executive Briefing,

20042 ITGI; Control Objectives for Information and related

Technology (COBIT) 3rd Edition,Management Guidelines,

2000

Stephen Reingold, CISA

has been working for the internal audit division of the

government of Ontario, Canada, for more than five years. In

addition to auditing data security and Internet applicationsecurity, Reingold has performed extensive SDLC and security

consultations with clients.

DisclaimerThe opinions expressed by the author are personal and do

not necessarily represent the views of either the Management

Board Secretariat or the Ontario, Canada, government.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary

organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit

and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of thisJournal. Information Systems Control Journaldoes not attest to the originality of authors' content.

Copyright 2005 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association.All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the

association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles

owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,

and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the

association or the copyright owner is expressly prohibited.

www.isaca.org