Regulations may substantially vary across organizations and various market segments, but the intent of regulatory compliance remains unchanged: it requires that businesses implement a set of policies, guidelines, and strategies aimed at protecting sensitive information assets. The consequences of noncompliance may vary, but usually include fines, jail time, and lawsuits, the growing regulatory oversight, and most important – the loss of the enterprise’s reputation in the market and the decreasing customer trust. COBIT is used to optimize available IT resources and helps align the aims of regulatory compliance with strategic business objectives.
IT Governance and COBIT Framework
IT is critical for the success of business. Regulatory compliance is one of the essential business areas where Information Technology helps maintain the stability of financial and legal performance regardless the specific organizational structure of the specific type of business enterprise. With the implementation of more sophisticated legislation, IT’s role in maintaining regulatory compliance becomes even more important; businesses view IT as the key to developing reliable and relevant solutions and the source of powerful business decisions, which help address political and cultural issues within small and large organizations. COBIT framework is only one out of many elements businesses use to support regulatory compliance.
IT’s role in maintaining regulatory compliance
The concept of regulatory compliance is the product of transformed realities for the modern e-corporations. “Regulations are having an enormous impact on every firm that does business over the Internet” (Cognos, 2006). These regulations may substantially vary across organizations and various market segments, but the intent of regulatory compliance remains unchanged: it requires that businesses implement a set of policies, guidelines, and strategies aimed at protecting sensitive information assets (Microsoft, 2006). Sarbanes-Oxley, PCI Data Security Standard and CA Senate Bill 1386 form the basis for the development and implementation of specific regulatory standards across organizations. Ultimately, regulatory compliance opens gateways to effective assessment, audit, and monitoring of information assets, moving away from manual processes, and developing radically new cost-effective automated solutions, to meet the needs and challenges of contemporary regulatory environment.
Specialists recognize the crucial role of IT solutions in business. “The nature of IT’s role in compliance varies widely among companies, but it is clear that growing regulatory requirements are giving IT specialists a lot more work and bringing them into contact with different corporate departments” (Cognos, 2006). With the need to maintain effective and reasonable regulatory compliance, organizations use information technology as the instrument for managing IT related risks; in IT governance, risk, value, and control remain the three integral components of successful organizational change. Currently, information technology solutions are designed in a way to guarantee the compatibility and alignment between the enterprise’s IT and business strategic objectives. IT helps enterprises gain competitive advantage and capitalize their information opportunities. In regulatory compliance, IT forms a new stable architecture of business objectives, and helps determine and combine the most effective instruments for managing enterprise’s regulatory compliance decisions.
Companies cannot willingly ignore compliance directives and can be seriously penalized for noncompliance. The consequences of noncompliance can be numerous and usually put companies into extremely challenging business environments. “These consequences can extend beyond financial, civil, or criminal penalties to affect the organization’s reputation in the market and its ability to access resources it needs to succeed” (Microsoft, 2006). The consequences of noncompliance may vary, but usually include fines, jail time, and lawsuits, the growing regulatory oversight, and most important – the loss of the enterprise’s reputation in the market and the decreasing customer trust. For the majority of modern organizations, regulatory compliance is compulsory and requires better understanding of the way IT can be used to face the growing information challenges. It is not rare that regulatory compliance is used as the justification of the need to automate manual processes that have already become inefficient. Although the costs of regulatory compliance constantly grow, organizations do not have any choice and should be prepared to investing into the development and implementation of various types of IT management and control systems; among these, COBIT is one of the most reliable and the most widely applicable solutions, leading to better regulatory compliance and opening new market opportunities for businesses.
COBIT Framework: better regulatory compliance through better control
Control Objectives for Information and related Technology (COBIT) is used to maintain better regulatory compliance in organizations. COBIT mission is “to research, develop, publicize and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers” (IT Governance Institute, 2008). COBIT is used to optimize available IT resources and helps align the aims of regulatory compliance with strategic business objectives. In general terms, COBIT framework maintains regulatory compliance through the four different elements: it links information control to business requirements; it organizes IT activities to form a completely new process model; it helps identify what IT resources should be leveraged to guarantee the safety and protection of valuable information assets; and it defines critical management control objectives (IT Governance Institute, 2008). COBIT provides enterprises with a set of unique and reliable measures that help identify the need for improvement and ensure that undesired events are prevented (IT Governance Institute, 2008). COBIT offers additional opportunities for performance management at different levels of organizational performance. Performance measurement is required to provide safety and transparency of IT solutions.
COBIT framework is based on the cyclical principle of information flow in organizations: “to provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information” (IT Governance Institute, 2008). COBIT combines business orientation with focus-oriented approaches to information management. The use of simple common language is combined with the use of a single convenient process model, where everyone is able to monitor IT activities and to manage them. This process model allows integrating effective business communication with excellent management practices and clear accountability principles. All COBIT processes are described in detail and have a clear set of control objectives; these are usually defined by PCs according to the specific process control number. The standard input and output requirements for each process include quality standards, IT policies, HR responsibilities, etc.
Despite the growing need to offer new automated business solutions, not all business processes are automated. Some procedures require manual verification or manual control, and cannot be trusted to automated IT systems. COBIT offers an extremely effective approach to integrating manual processes with automated controls. In COBIT, automated process control is combined with manual verification and authorization, maintaining better regulatory compliance and ensuring the availability of information critical for the success of business. Ultimately, COBIT framework successfully ties IT governance objectives to business information requirements. COBIT manages enterprise’s IT resources, aligning enterprise’s control objectives with measurement and monitoring the quality of enterprise’s performance.
Regulatory compliance puts enterprises into challenging business environment, where automated IT solutions should be professionally integrated with the strategic business objectives, to guarantee effective management of enterprise’s information assets. COBIT framework creates a new organizational image, aligning performance measurement, monitoring, and control within one integral process model, which opens unlimited market opportunities to businesses and proves the undeniably critical role of IT in maintaining regulatory compliance at all levels of organizational performance.
Cognos. (2006). IT’s critical role in SOX and regulatory compliance. Retrieved October 3,
2008 from http://www.cognos.com/pdfs/whitepapers/wp_its_critical_role_in_sox_and_regulatory_compliance.pdf
eCommerce Industry Brief. (2005). Regulatory compliance. Retrieved October 3, 2008 from
IT Governance Institute. (2008). COBIT 4.1. Executive summary. Retrieved October 3, 2008
Microsoft. (2006). Regulatory compliance planning guide. Retrieved October 3, 2008 from