The ISACA has traded in the 7-year-old COBIT 5 for COBIT 2019. This is the second of a 3-part series exploring COBIT 2019.
High-level recap of part 1 – (See The ISACA has traded in COBIT 5 for COBIT 2019 (Part 1 of 3))
On a macro level, COBIT 2019 meets the ISACA’s 3 principles for an appropriate enterprise governance of information and technology (EGIT) framework. At the micro, or organizational level, COBIT 2019 sets out the 6 core principles for an EGIT, including the principle that all organizations need one. These 9 principles, changed and renamed, were the 5 COBIT core principles under COBIT 5.
Also fundamental to COBIT 2019, is that any EGIT system includes 7 different components (enablers under COBIT 5), which interact with each other and influence the good operation of the EGIT. These components include not just the enterprise’s applications, but also the culture, ethics and behaviour, as well as the people, skills and competencies within the organization.
Additionally, the EGIT must consider the organization’s internal and external stakeholders, because ultimately, stakeholder goals cascade or feed into management and governance objectives—the end goal of an EGIT is to ensure that the organization can meet stakeholder goals, balanced and prioritized in the face of scarce resources.
Domains or spheres of responsibilities and control
COBIT 2019 distinguishes between governance and management roles in an enterprise, and assigns each with unique, mutually exclusive spheres of responsibility or control, which COBIT 2019 defines as domains.
There are 5 domains, and each domain consists of verbs which describe the domain. Each domain consists of 40 objectives. Only one of the 5 domains falls within the purview of governance, the other 4 belong to management. The COBIT 2019 domains are as follows:
There are 3 new objectives, taking the total number of objectives from 37 under COBIT 5, to 40. APO14 used to be APO13 under COBIT 5, BAI11 used to be BAI10 and MEA04 used to be MEA03. The new objectives are as follows:
- APO14 – Managed Data
- BAI11 – Managed Projects
- MEA04 – Managed Assurance
New domain objectives
The new objectives highlight COBIT 2019’s evolution to encompass additional issues of concern to organizations, including data management, project management and assurance activities.
The goal of the managed data objective (APO14) is to achieve and sustain the effective management of the organization’s data assets across the data lifecycle, from creation through delivery, maintenance and archiving. This is important to organizations because of the increased focus on privacy and more stringent privacy legislation, for example, Europe’s General Data Protection Regulation (GDPR) and the mandatory security breach reporting and notification provisions under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
To achieve the APO14 objectives, the organization must implement the following practices:
- Define how to manage and improve the organization’s data assets, in line with enterprise strategy and objectives;
- Communicate the data management strategy to all stakeholders; and
- Assign roles and responsibilities to ensure that organizational data are managed as critical assets and the data management strategy is implemented and maintained in an effective and sustainable manner.
The goal of the managed projects objective (BAI11) is to ensure that all projects which the organization initiates are based on the standard project management approach. This applies to the way the organization initiates, plans, controls and executes projects, and close with a post-implementation review.
To achieve the BAI11 objectives, the organization should implement the following practices:
- Maintain a standard approach for project management that enables governance and management review, decision-making and delivery-management activities; and
- Focus the foregoing activities on business value and goals (for example, requirements, risks, costs, schedule and quality targets).
The goal of the managed assurance objective (MEA04), is to ensure that management plans, scopes and executes assurance initiatives to comply with internal requirements, laws, regulations and strategic objectives. This will enable management to deliver adequate and sustainable assurance by performing independent assurance reviews and activities.
To achieve the MEA04 objectives, the organization should implement the following practices:
These assurance practices will help to ensure that the organization has the appropriate governance, management and assurance roles, and will ensure that they each carry out their functions effectively. This blog, Internal audit is your third line of defense, explains how these roles should interact to operate effectively, making it clear why this is a new objective under COBIT 2019. (You can also read more about the interaction between these roles in Finance and Accounting PolicyPro (GV 1.08 – Relationship with Internal Auditors)).
Information Technology PolicyPro already includes coverage of strategies to help you introduce an effective EGIT system or improve the one you have. Read more about COBIT in the Introduction chapter to the manual. The manual will be updated on a rolling basis to reflect COBIT 2019.
Policies and procedures are essential to good governance and internal controls, but the work required to create and maintain them can seem daunting. Information Technology PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada) contains sample policies, procedures and other documents, plus authoritative commentary on EGIT, to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request a free 30–day trial of Information Technology PolicyPro here.