1

The Control Objectives for Information and Related Technology (COBIT) is a

set of best practices for information technology (IT) management created by
Information Systems Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI) in 1996.
ISACA develops and maintains the internationally recognized COBIT
framework, helping IT professionals and enterprise leaders fulfill their IT
Governance responsibilities while delivering value to the business.
COBIT is an IT governance framework and supporting toolset that allows
managers to bridge the gap between control requirements, technical issues
and business risks. COBIT enables clear policy development and good
practice for IT control throughout organizations. COBIT emphasizes
regulatory compliance, helps organizations to increase the value attained
from IT, enables alignment and simplifies implementation of the enterprises'
IT governance and control framework.
COBIT is a governance framework that an organization can use to ensure
that IT is working as effectively as possible to minimize risk and maximize
the benefits of technology investments. COBIT provides managers, auditors,
and IT users with a set of generally accepted measures, indicators, processes
and best practices to assist them in maximizing the benefits derived through
the use of information technology and developing appropriate IT governance
and control in a company.
COBIT is a globally accepted set of tools that executives and professionals at
all organizations can use to ensure that their IT is helping them achieve their
goals and objectives. Many executives and managers need to make decisions
based on diverse opinions from others, and COBIT provides a common
language to better communicate goals, objectives and expected results.
COBIT provides insight on how ICT processes can be launched or
implemented. COBIT 4.1 has 34 high level processes that cover 210 control
objectives categorized in four domains:

Plan and Organize (PO) - Provides direction to solution delivery (AI) and
service delivery (DS)
Acquire and Implement (AI) - Provides the solutions and passes them to
be turned into services
Deliver and Support (DS) - Receives the solutions and makes them
usable for end users

Monitor and Evaluate (ME) - Monitors all processes to ensure that the
direction provided is followed

Controls are designed to support seven information criteria:

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability

COBIT 5 has 37 high level processes in five domains:

Evaluate, Deliver and Monitor (EDM)

Align, Plan and Organize (APO)
Build, Acquire and Implement (BAI)
Deliver, Service and Support (DSS)
Monitor, Evaluate and Assess (MEA)

The 2013 Framework is expected to help organizations design and

implement internal control in light of many changes in business and
operating environments since the issuance of the original Framework,
broaden the application of internal control in addressing operations and
reporting objectives, and clarify the requirements for determining what
constitutes effective internal control.
COSO has also issued Illustrative Tools for Assessing Effectiveness of a
System of Internal Control and the Internal Control over External Financial
Reporting (ICEFR): A Compendium of Approaches and Examples. The
Illustrative Tools are expected to assist users when assessing whether a
system of internal control meets the requirements set forth in the updated
Framework. The ICEFR Compendium is particularly relevant to those who
prepare financial statements for external purposes based upon requirements
set forth in the updated Framework.

Enterprise Risk Management a process, effected by an entity's board of

directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect
the entity, and manage risks to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
The framework defines essential enterprise risk management components,
discusses key ERM principles and concepts, suggests a common ERM
language, and provides clear direction and guidance for enterprise risk
management.

Underlying principles:

Every entity, whether for-profit or not, exists to realize value for its
stakeholders.
Value is created, preserved, or eroded by management decisions in all
activities, from setting strategy to operating the enterprise day-to-day.

ERM supports value creation by enabling management to:

Deal effectively with potential future events that create uncertainty.

Respond in a manner that reduces the likelihood of downside outcomes
and increases the upside.

Entity objectives can be viewed in the context of four categories:

Strategic
Operations
Reporting
Compliance

ERM considers activities at all levels of the organization:

Enterprise-level
Division or subsidiary
Business unit processes