Guest Editorial
INDUSTRY LEADERS EXAMINE
THE LATEST BUSINESS ISSUES
Where Have All the Control Objectives Gone?
They Have Picked Them Every One... 1
Erik Guldentops is an
executive professor at the
Management School of
the University of Antwerp,
Belgium, where he lectures
on IT security and control,
IT governance, and risk
management. He worked for
many years at SWIFT (Society
for Worldwide Interbank
Financial Telecommunication),
where he held the positions of
inspector-general and director
of information security and
worked with its board and
executive management on the
subjects of governance, risk,
security and control. He held
several positions in ISACA and
the IT Governance Institute
between 1989 and 2007 and
helped in the development of
COBIT and Val I T. He recently
chaired a panel of professors
that reviewed the master of
IT audit programmes in four
universities in The Netherlands.
Do you have
something
to say about
this article?
Visit the Journal pages
of the ISACA web site
( www.isaca.org/journal),
find the article, and
choose the Comments
tab to share your
thoughts.
I still remember the beginning 20 years ago.
It was cold in Paris in November 1991 when
ISACA’s2 European Regional Council3 met.
IT audit knowledge was a major theme of the
meeting, especially because this group realised
that most of the knowledge came from the US.
Somewhat desperate for an EU initiative in IT
audit research and publications, they ‘badgered’
me, given my academic contacts, into developing
a proposal.
I had been intrigued at the time by EDPAA’s
Control Objectives because, on one hand, it
seemed a comprehensive set of the issues of IT
audit and control, while, on the other hand, its
prescriptive nature and typical audit language
made techies and managers apprehensive (to put it
mildly). To maintain and enhance its value, it was
clear to me that it needed a business foundation
and management framework. That became
COBIT, and the rest is history…until two weeks
ago (at the time of this writing in April 2011).
A brain surge in the middle of the night made
me realise—although it was very useful—that
we never got it right, in all these years, with the
COBIT control objectives (COs). Why? Because
of the blurring of objective and action! And it
is not the first time that the audit profession
has struggled with this. Just think of auditors
who often push management to apply specific
practices while management has its own ideas
about achieving the underlying objectives.
And then, this week, serendipity struck! I got
the exposure draft of COBIT 5 for review, and
what did I see? The COs are gone! It is good that
the development team realised that something
needed to be done about that; one can debate,
however, about what needed to be done.
This brings me back to the history of COBIT,
because we struggled with this for close to
20 years. Maybe we can learn something from
our struggles.
The first illustration of the issue came with
the Peter De Koninck group of experts who
began developing the control practices in the
second half of the 1990s. They did not explicitly
acknowledge the issue of objective vs. action, but,
having moved to pure practices, they recognised
an underlying need and developed the ‘reasons
why’ to support their practices.
