Project Management Best Practices: An Introduction to COBIT

By Haydn Thomas

(Back to article)

The final entry to CA’s series on project management best practices is an overview of the control objectives for information and related technology (COBIT) methodology. Where both PMBOK and PRINCE2 are more project intensive, COBIT takes a top-down approach for managers and auditors to ensure governance over key issues such as Sarbanes-Oxley compliance. 

The newest of the key project-related methodologies, COBIT, was created by the Information Systems Audit and Control Association (ISACA) and the ITGI IT Governance Institute (ITGI) in 1996 for IT governance and control. Four editions have been published since November 2005. The recent incremental release, 4.1, includes streamlined control objectives and application controls, improved process controls and an enhanced explanation of performance management.

As a pivotal set of methodologies to ensure Sarbanes-Oxley Act compliance, COBIT has been rapidly adopted by managers and auditors across major organizations. While adoption of COBIT is global, the principle marketplaces have been the U.S. (especially from the Sarbanes-Oxley perspective) and Europe . The framework bridges the gap between risks, control needs and technical implementation approaches. It provides a processes-oriented structure classified by domain, which identifies the resources to be leveraged, defines the control objectives to be considered and incorporates major international standards.

COBIT outlines 34 high-level objectives that cover multiple sub-objectives across four domains:

Planning and Organization – Defining the strategic IT plan and information architecture; determining the technology direction; defining the processes organization and relationships; managing the investment; communicating the direction; managing the human resources; and managing risk issues and projects.

Acquisition and Implementation – Identifying and acquiring solutions, software and technology; enabling operation and use; procuring resources; managing changes and accrediting the solutions and changes to them.

Delivery and Support – Defining and managing service levels, third-party services, and performance and capacity; ensuring continuous service and security; identifying and allocating costs; managing the service desk and incidents; managing problems, data, configurations, and the physical environment and operations.

Monitoring and Evaluation – Monitoring and evaluating performance and internal control; ensuring regulatory compliance; and providing IT governance.

The framework focuses on what needs to be done, rather than providing prescriptive guidelines on how to achieve objectives. For example, as part of planning and organizing, COBIT recommends the implementation of project management frameworks and supports. Typically, this would lead to the set-up of a PMO and implementation of a project management methodology such as PMBOK or PRINCE2.

COBIT provides a framework that maps directly to the core IT governance focus areas of strategic alignment, value delivery, resource management, risk management and performance measurement.

By following a business-driven implementation approach, effective IT governance becomes part of the organization’s DNA.

Business Drivers and Value

While the need for good IT governance is generally acknowledged, the implementation of frameworks such as COBIT are frequently seen as “something we feel we ought to do,” with no real perspective of the value that is delivered to the organization. The keys to successful implementations are focusing on the business drivers and results the organization is seeking, and recognizing that “zero to hero” may be a journey involving many small steps rather than a single leap of faith. Changes to processes will potentially drive organizational and cultural change thus the implementation needs to be managed holistically.

Assessment and Planning

A pragmatic approach for delivery involves two main groups of activity. The first is an assessment, and the second the actual implementation.

A good assessment approach involves the following:

·      Establishment/review of business drivers

·      Mapping of business drivers against process areas to identify relative importance to the business

·      Capability assessment of the process areas to establish current position

·      Comparison with relative importance to set priorities and establish gaps

·      Formulation of a high-level solution (this will involve the definition of activity goals, control objectives and audit guidelines)

·      Assessment of the impact on the business, which addresses the expected level of cultural change and resistance that is likely to be encountered

·      Creation of the roadmap that balances priorities against the ROI (financial and other benefits) that would be expected to accrue (this is likely to be defined as a program involving multiple work streams)

For more on Project Management go to Project Manager Planet.com.

Managing Holistically

Each delivery phase of the implementation will be a multi-threaded program touching many parts of the organization. While there is no “one size fits all solution,” successful implementations of frameworks such as COBIT share some common characteristics, notably:

·      A vocal and visible project sponsor capable of taking the “Why are we doing this?” message to all levels of the organization.

·      A project team with subject matter experts who are truly representative of the business, and are empowered to make decisions.

·      Excellent communications planning and execution.

·      A focus on delivering framework components within the agreed timelines. This may mean establishing basic-level processes, controls and metrics around an area, rather than trying to implement every detailed requirement. There is always room for process improvement in later phases.

Make use of technology solutions to automate controls, processes, metrics and audit tracking wherever possible, but be aware that the technology itself does not offer a “silver bullet”. In order to be successful, the organization must want to change. This goal must also be reinforced by rewarding the new behaviors. Take the organizational and individuals’ culture and motivation into account when performing the implementation.

COBIT is a framework for IT governance, and there are a number of solutions that can be leveraged to deliver a high-level COBIT “dashboard,” and provide integrated support to the underlying processes and controls defined as part of that framework. Typically, an integrated dashboard would be implemented. This provides configurable support for controls and metrics, and at its most basic level can also capture information on desired maturity and current levels (and trends) for each of the process areas.

Benefits of Leveraging Best Practices

Best practices span solution implementation methodologies, guidelines on process alignment, reference architectures, configuration recommendations, performance tuning advice, and end-user training (onboarding). These best practices should be used in every implementation and in doing so, time to value is reduced and user adoption increases. Both of these factors are hugely critical to the success of PMBOK, PRINCE2 and COBIT implementations across the organization.

For more on Project Management go to Project Manager Planet.com.


Haydn Thomas brings more than 15 years of experience implementing enterprise-wide project management systems to his position as a certified architect of CA Clarity PPM software. Most recently, Haydn has been responsible for overseeing CA Clarity PPM r8 upgrades within some of CA’s marquee financial, telecommunications, pharmaceutical, it and public sector customers.

Julie Tilke has worked in the areas of project portfolio management and ITG governance for over 20 years. Initially working on process and techniques for project management (PROMPT and later PRINCE), Tilke developed an interest in the developing technologies to support these new implementation approaches. After a five-year stint with Softlab managing its U.K. consulting and training practices, she took time out to manage the European delivery team of a small systems integrator.