• Learn more and collaborate on COBIT topics at
• Comment on the COBIT 5 Public Exposure,
scheduled for mid-June to mid-July.
and processes were not the perfect match that we had thought
them to be. We also did not pursue the concept because we
could not see how it fit in the framework. This was a warning
flag, but got lost in the extensive development projects of
The final piece of the puzzle relates to the ongoing debate
of ‘best practice’ vs. ‘good practice’ and another concept that
I would call ‘a necessary and reasonably acceptable practice’.
By that, I mean that if there is only one good practice or a
necessary but not sufficient good practice to respond to a
control objective, there is a lesser need to make a distinction
between objective and action. There are cases like that in
the COs, but, I suspect, they comprise a strong minority.
One interesting, overlooked example is COBIT’s successful
process structure, which really is a necessary good practice for
efficiently implementing IT goals!
To conclude, there is a need for COs, but they should be
devoid of any implied action. Maybe calling them control
requirements will help. If they were developed like that, they
would apply to all enterprises, whatever their industry, sector,
size, risk profile or culture.
Such a development initiative would also respond to
something that our profession has been lacking: to perform
fundamental research into the concepts of IT auditing. I suspect
that this could lead us back to the beginning of the COBIT
development cycle because control objectives will likely be
expressed in the original seven information criteria of COBIT’s
first edition: efficiency, effectiveness, confidentiality, integrity,
availability, compliance and reliability. Testing these principles
against later developments such as COSO and ISO 38500, as
well as against earlier developments such as Internal Control
and Agency Theories, would provide a sound research basis.
Figure 1—A First Cut at Control Requirements for IT
All domains • Efficiency
• Accountability for that investment towards
• Monitoring and evaluating management
• Responsibility (for the charge given and
• Directing the enterprise
• Aligning (the interests of) different entities
• Supervising the enterprise
• Measuring results
• Continuous improvement
• Segregation of duties
• What other domains create control requirements?
• How to handle dependencies, e.g., confidentiality as a form
• Where is the fine line between principle and action, e.g., alignment
is a set of management practices to ensure different enterprise
entities work together properly, or segregation of duties, which is a
management practice for setting up the organisation such that no
single individual can perform a sensitive transaction?
• What about generally accepted necessary practices that have no
(risk-free) alternative such as process-orientation, business/IT
alignment or segregation of duties as mentioned above? Do they
then become control requirements?
COs reworked as requirements would fit very well with a
new and necessary development in COBIT 5, i.e., the concept
of governance enablers—currently defined as frameworks,
processes, organisational structures, principles and policies.
Figure 1 provides a ‘first cut’ of these control requirements.