COBIT Tool Kit Enhancements

Peter C. Tessin
Author: Peter C. Tessin, CISA, CRISC, CISM, CGEIT
Date Published: 4 May 2020

The COBIT® Tool Kit has a number of resources to aid practitioners, including an overview, an executive summary, frequently asked questions (FAQs), a listing of the governance and management objectives in spreadsheet format, and more.

ISACA® has added a new Excel-based Responsible, Accountable, Consulted and Informed (RACI) matrix in the COBIT 2019 tool kit to help practitioners identify the areas of responsibility and accountability for enterprise roles critical to a well-designed governance system. Understanding who is accountable and responsible for particular processes and practices is key to maintaining an effective governance system.

Understanding who is accountable and responsible for particular processes and practices is key to maintaining an effective governance system.

For decades, business and IT practitioners have made use of RACI charts. In all likelihood, most practitioners currently use these in their enterprise to assign roles to tasks or practices. COBIT has had RACI charts in several prior versions of the framework, and it continues to make use of them in COBIT 2019.

In COBIT 2019, the RACI charts follow each governance and management objective and include the practices for each objective. What the RACI charts in COBIT 20191 do not show, however, is all the practices assigned to each role across the 40 governance and management objectives and their respective practices. The new tool breaks out each of the 231 COBIT practices and provides flexible guidance on which role in the organization is Responsible or Accountable for each practice. Once these key assignments are determined, practitioners can determine remaining role assignments for “Consulted” and “Informed” based on the unique requirements of their enterprise. The spreadsheet format allows practitioners to easily customize the material for use in their organization.

Each role is contained on a separate tab within the spreadsheet. The first tab displays a table of contents to help the user navigate the spreadsheet. The second tab on the spreadsheet shows the entirety of the RACI contained in COBIT 2019, and the remaining tabs relate to individual roles within an enterprise. For example, the 16th tab, related to audit, shows that this role is Responsible for 2 practices and Accountable for 9 practices (figure 1).

Figure 1—Example COBIT RACI for Audit
Figure 1

The value of this tool is that it provides a convenient means of quickly assessing and assigning relevant roles to practices across the 40 COBIT objectives. COBIT promotes using a common language and common understanding among practitioners. Common terminology facilitates communication and mitigates opportunities for error. Using RACI charts and the new COBIT Tool Kit spreadsheet provides the guidance to help practitioners extract the COBIT practices relevant for each job role.

Another benefit of compiling all practices into a single RACI chart is that metrics reporting can be better assessed. A user can filter all practices by accountability of a single role and then compare metrics reporting on those practices and determine whether sufficient coverage has been created. An assessment of that type is not as effective when RACIs are developed at the higher, objective, level.

The new spreadsheet can be found in the complementary COBIT 2019 Tool Kit. The tool kit is available on the COBIT page of the ISACA website. Scroll down to the “MORE IMPLEMENTATION RESOURCES” heading and click on the red “ACCESS THE COBIT TOOL KIT” button to download the tool kit.

Peter C. Tessin, CISA, CRISC, CISM, CGEIT

Is a senior manager at Discover Financial Services. He leads the governance group within Business Technology (BT) Risk. In this role, he is responsible for ensuring that policy, standards and procedures align with corporate objectives. He serves as the internal party responsible for regulatory exam management and is the internal liaison to Corporate Risk Management. Prior to this role, Tessin was a technical research manager at ISACA where he was the project manager for COBIT 5 and led the development of other COBIT 5-related publications, white papers and articles. Tessin also played a central role in the design of COBIT online, ISACA’s website that offers convenient access to the COBIT 5 product family and includes interactive digital tools to assist in the use of COBIT. Prior to joining ISACA, Tessin was a senior manager at an internal audit firm, where he led client engagements and was responsible for IT and financial audit teams. Previously, he worked in various industry roles including staff accountant, application developer, accounting systems consultant and trainer, business analyst, project manager, and auditor. He has worked in many countries outside of his native United States, including Australia, Canada, France, Germany, Italy, Jordan, Mexico and the United Kingdom.

Endnotes

1 ISACA, COBIT 2019 Framework: Governance and Management Objectives, USA, 2018