1. How did COBIT 4.0 evolve?

It is the intention of the IT Governance Institute and through its COBIT Steering Committee, to continuously evolve the COBIT body of knowledge. To address that goal, over the past two years the committee has led research into several detailed aspects of the control objectives and the management guidelines. The research was based on the expertise and volunteer teams of ISACA members, COBIT users, expert advisors and academics. Local development groups of 6 to 10 experts in Brussels (Belgium), London (UK), Chicago (USA), Canberra (Australia), Cape Town (South Africa), Washington DC (USA) and Copenhagen (Denmark) convened, on average, two to three times per year to work on specific research or review tasks assigned by the COBIT Steering Committee. In addition, some specific research projects were assigned to business schools such as the University of Antwerp Management School (UAMS, Belgium) and the University of Hawaii (USA).

The results of these activities were fed to a number of large workshops of 40 to 50 international experts focusing on the control objectives, management guidelines and maturity model components of the framework. The COBIT Steering Committee consolidated all results and an exposure draft to more than 90 specialists completed the production process.

2. What changes have occurred in the business environment to spur an update of COBIT?

Many changes in the way business operate have made updates in COBIT imperative:

• Increasing IT management focus— The need to provide management and control guidance suitable for the current IT operational environment
• More varied assurance audience —The need to meet the needs of auditors, regulators, security experts and others involved in providing assurance about the performance of IT in many different circumstances
• Greater focus on governance at board levels —Making sure there is a sufficient business focus and mechanisms for aligning the management and control of IT objectives with the needs of the enterprise
• Increased maturity of IT best practices and standards —Making sure that as enterprises increasingly adopt specialized guidance such as ITIL and ISO 17799, COBIT can be used as the integrator and overarching umbrella framework and continue to be regarded as a highly credible and practical guidance for overall IT control
• Integrated use by the three main target audiences: management, IT and auditors —Making sure that the structure, presentation and language used provide for easier understanding and application by management-level stakeholders as well as practitioners and professionals
• Growth in regulation and compliance —Making sure that COBIT covers the full scope of IT governance and showing how it maps to the IT governance domains and the COSO framework, thus ensuring that it can continue to be regarded as the de facto IT control framework for IT governance

3. What were the areas of focus in the update to COBIT 4.0?

• IT governance— Based on the five domains of alignment, value delivery, risk management, resource management and performance measurement, as defined by ITGI. Although COBIT covered most aspects, analysis showed some gaps that have now been filled by adjusting some of the IT process titles and adding some new control objectives. COBIT 4.0 contains a matrix mapping all IT processes to the governance domains.
• Business requirements— COBIT’s orientation to business requirements has always been fundamental and based on the information criteria. Extensive research carried out by the University of Antwerp into how IT supports business objectives in a variety of industry sectors provided a generic cross-reference of common business goals to IT goals. A table is provided showing the relationship among business goals, IT goals and COBIT’s IT processes to help users identify business to IT linkages in their own organizations. This was also used to improve the goal and performance metrics.
• Harmonization —To help users to integrate COBIT more easily with other, more detailed, guidance, such as ITIL, ISO 17799, PMBOK and PRINCE 2, the terms and principles used within COBIT 4.0 have been better harmonized.
• Value creation —Because of COBIT’s audit origins there has been a strong emphasis on controls to manage risk. COBIT 4.0 provides a better balance between risk and value, and draws on recent new research on IT value management.
• Enterprise architecture — COBIT 4.0 provides RACI charts (who is responsible, accountable, consulted and informed) to address process roles and responsibilities for each IT process, and enterprise architecture principles are now explained within the framework, linking goals, resources, information and processes.
• Process definitions and process flows— To improve understanding of the IT process model, COBIT 4.0 contains descriptions of each process together with process inputs and outputs with cross-references to other processes.
• Language and presentation— More concise, contemporary and action-oriented language has been used in COBIT 4.0. The control objectives and management guideline content have been combined by IT process.
• Feedback— Comments and recommendations are received on a regular basis from users and these, together with feedback from three COBIT User Conventions, were used to help improve the content of COBIT 4.0.

4. Which COBIT components were changed in the development of COBIT 4.0?

  Control Objectives

• COBIT—IT governance bottom-up alignment – An analysis into how the detailed Control Objectives can be mapped to the five IT Governance domains to identify potential gaps
• COBIT—IT governance top-down alignment – A research into important IT Governance practices that are not yet (fully) covered in COBIT 3.0 to be able to address potential gaps
• Harmonization of COBIT and other detailed standards—A detailed mapping between COBIT and ITIL, CMM, COSO, PMBOK, ISF and ISO/IEC 17799 to enable harmonization with those standards in language, definitions and concepts

  Although there were 34 high-level control objectives in COBIT 3 rd Edition and 34 in COBIT 4.0, they are not the same 34. The changes can be summarized as follows:

• The M domain has now become ME, standing for Monitor and Evaluate.
• M3 and M4 were audit processes and not IT processes. They have been removed, as they are adequately covered by a number of IT audit standards, but hooks have been provided within the updated framework to highlight management’s need for, and use of, assurance functions.
• ME3 covers the process of governance oversight over IT.
• ME4 is the process related to regulatory oversight, which was previously covered by PO8.
• With the removal of PO8 and the need to keep the numbering for PO9 Assess risk and PO10 Manage projects consistent with COBIT 3rd Edition, PO8 now becomes Manage quality, the old PO11 process. The PO domain now has 10 processes instead of 11.
• The AI domain required two changes: the addition of a procurement process and the need to include in AI5 the aspects of release management. The latter change suggested that this should be the last process in the AI domain and hence it became AI7. The slot this created at AI5 was then used to add the new procurement process. The AI domain now has seven instead of six processes.

  Management Guidelines

• Clarification of KGI-KPI causal relationships – Identifying in more detail how KPIs drive the achievement of the KGIs
• Review of the quality of the KGIs, KPIs and CSFs—Based on the KPI/KGI causal relationship analysis, improve the quality of the metrics
• Splitting the CSFs into what one needs from others (inputs) and what one needs to do oneself (management practices)
• Detailed analysis of metrics concepts—Detailed development with metrics experts to enhance the metrics concepts, building up a cascade of process-IT-business metrics and identifying quality criteria for metrics
• Linking business goal, IT goals and IT processes—Detailed research in eight different industries resulting in a more detailed insight into how COBIT processes support the achievement of specific IT goals and, by extension, business goals; results then generalized
• Review of the maturity model contents—Ensuring consistency and quality of maturity levels between and within processes, including improved and expanded definitions of maturity model attributes

5. What is included in the new COBIT 4.0 volume?

The new COBIT volume consists of four sections:

• The executive overview
• The framework
• The core content (high-level and detailed control objectives, management guidelines and maturity models)
• Appendices (various mappings and cross-references, more maturity model information, reference material, a project description and a glossary)

The core content is divided according to the 34 IT process. Each process is covered in four sections of approximately one page each, combining to give a complete picture of how to control, manage and measure the process. The four sections for each process, in order, are:

• The high level control objective for the process
  • A process description summarizing the process objectives
  • A high-level control objective represented in a waterfall summarizing process goals, metrics and practices
  • The mapping of the process to the process domains, information criteria and IT resources.
• The detailed control objectives for the process
• Management guidelines: the process inputs and outputs, a RACI (responsible, accountable, consulted and/or informed) chart, goal and metrics
• The maturity model for the process

Another way of viewing the process performance content is:

6. How is COBIT 4.0 different from COBIT 3 rd Edition?

COBIT 4.0 replaces the third edition components Executive Summary, Framework, Control Objectives and Management Guidelines. Work is underway to update the control practices and Audit Guidelines to reflect the changes in the COBIT framework and content at 4.0. The third edition’s Implementation Tool Set is superseded by IT Governance Implementation Guide, released in 2003, although the Implementation Tool Set is still available and useful in many ways.

7. Does COBIT 4.0 replace COBIT 3 rd Edition?

No. COBIT 4.0 is an enhancement of COBIT 3 rd Edition and in no way invalidates any implementation or execution activities based on COBIT 3 rd Edition. Such arrangements are fully compatible with COBIT 4.0. The introduction of COBIT 4.0 provides the opportunity to further improve IT governance and control arrangements, where appropriate, as a transition exercise. Mappings to support this transition are included in a COBIT 4.0 appendix, and release 3.2 of COBIT Online will remain available, in a frozen state, to support transition activity.

At the same time, however, future COBIT update activity will take place electronically and on an ongoing basis via new releases (post-3.2) of COBIT Online. Occasional print copies will be released when the update activity warrants.

     欲了解更多相关信息，请联系it@itgov.org.cn