An Environment Under a Methodological Work Scheme
A work environment under a methodological scheme solidifies the way to achieve objectives. For this reason, we want to delve into one of the methodologies implemented in the IT area to strengthen, control, and ensure compliance within the organization.
Analysis of the Context Where the Need for an IT Organization Under a Methodological Framework Arises: COBIT
Events such as the enactment and application of laws and regulations like Sarbanes-Oxley, in effect since 2002, which requires companies listed on the New York Stock Exchange to thoroughly control the generation of their financial statements, created the need to implement organizational sectors with standardized and traceable processes.
As a result, today we see that in large publicly traded companies, there is a greater concern about controlling their IT systems. This topic has become part of the auditors’ tasks and the board of directors’ agenda.
Why this concern about IT control and governance? It is now recognized that businesses do not operate without IT, meaning part of the business risk lies in IT systems, thus the imperative need to control these risks.
We know that to control any process, it is necessary to have a measurement mechanism, one for detecting deviations, and another for correcting these deviations. Naturally, IT Governance introduces these mechanisms, and methodologies like those developed in COBIT provide a model for this. However, we must remember that all control mechanisms have a cost, requiring trained personnel in IT, auditors, external consultants, and new elements to consider in procedure and software designs and implementation. It also implies a transition plan from the current situation to the desired one.
In summary, COBIT is technically feasible to apply in any IT area of medium-sized companies and larger, but its implementation cost is justified only if the board has compelling reasons for it: for example, the application of laws like Sarbanes-Oxley, shareholder agreements, specific country regulations, etc.
What is COBIT? What Processes are Identified by COBIT?
COBIT (Control Objectives for Information and related Technology) is a framework for establishing a set of processes that, once implemented, will allow the IT area to be perfectly organized, with measurable, efficient processes, and a maturity model that facilitates continuous improvement and the execution of audits.
This model is based on Processes, which we will mention and develop below:
Plan and Organize (PO)
This domain covers strategy and tactics, aiming to identify how IT can best contribute to achieving the company’s business objectives. Executing the strategic vision requires planning, dissemination, and management from different perspectives. Adequate organization and a corresponding technological platform are necessary. Thus, this domain typically addresses the following questions:
- Are IT efforts aligned with the business strategy?
- Is the company using its IT resources optimally?
- Does everyone in the company understand IT objectives?
- Are IT risks understood and properly managed?
- Is the quality of IT systems adequate to meet business needs?
Acquire and Implement (AI)
To realize the IT strategy, technological solutions need to be identified, developed, or acquired, and implemented and integrated into business processes. Additionally, every system requires changes and maintenance to ensure it continues to meet business requirements. For this domain, the questions arise:
- Do new projects have the potential to deliver solutions that meet business needs?
- Is it feasible for new projects to be executed within agreed timelines and budgets?
- Will new systems operate properly once implemented?
- Can changes be made without jeopardizing business operations?
Deliver and Support (DS)
This domain deals with delivering the required services, including service provision, security and continuity management, user support, data management, and managing technological platform facilities. For these purposes, it is necessary to formulate the following questions:
- Are IT services being provided according to business priorities?
- Are IT costs optimized?
- Is the workforce able to use IT systems productively and securely?
- Is the confidentiality, integrity, and availability of IT systems properly managed?
Monitor and Evaluate (ME)
All IT processes need periodic verification through controls for quality and compliance. This domain deals with performance management, internal control monitoring, compliance regulations, and governance. Typical questions in this domain are:
- Do IT performance measurement systems allow timely detection of problems?
- Does management ensure that internal controls are effective and efficient?
- Can IT performance be related to business objectives?
- Are risks, control, compliance, and performance being measured and reported?
Conclusions
Clearly, COBIT is a framework for professionalizing a company’s IT area, whether it has its own or outsourced capabilities. Currently, the IT area is recognized by the board as a key component to successfully achieving objectives within an organization. Therefore, implementing methods that achieve efficiencies within IT will help this department provide quality services to stakeholders within the company.