COBIT 2019 and the IIA 2019 Guiding Principles of Corporate Governance: Two Frameworks, Many Similarities

2019 was a very productive year for corporate governance. ISACA completed the publication of COBIT^® 2019, a master framework internationally recognized for the governance and management of enterprise information and technology,¹ and The Institute of Internal Auditors (IIA) published its Guiding Principles of Corporate Governance in collaboration with the Neel Corporate Governance Center.²

As COBIT 2019 mentions, enterprise governance of information and technology (EGIT) is an integral part of corporate governance.³ If information and technology (I&T) are among the most important resources to the enterprise, the board of directors (BoD) must consider, if it has not yet, including EGIT as part of its agenda.

Of course, establishing a common language among all board members, especially nontechnical members, is a difficult task.

So, how can these 2 references be combined to align corporate and IT aspects and facilitate the relationships among board members, executive management, chief executive officers (CEOs), chief information officers (CIOs), assurance providers and internal auditors?

Two Sets of Guidance, Many Similarities

Both frameworks are standards- and guidance-related publications. As explained in COBIT 2019, it is considered an umbrella framework, with several referenced standards that are not included as content.⁴ The same idea is considered in the IIA document, where the guiding principles are a summary of different references’ viewpoints. This characteristic facilitates integration and permanent updates with new publications and national and international regulations.

Neither of them proposes prescriptive solutions. If each enterprise is unique, each enterprise must design its own governance system. The IIA publication considers factor such as age, size, complexity and extent of international operations, while COBIT 2019 focuses on the enterprise’s needs and a set of design factors for customizing and prioritizing the governance system components.

Both distinguish governance responsibilities from management responsibilities. The IIA’s Principle 3 establishes that the form of leadership for the BoD and management should be different, as do different versions of COBIT^®.

In their definitions of corporate governance, both consider the purpose of corporate governance as the alignment between stakeholder needs and enterprise objectives.

Both include evaluate, direct and monitor activities as part of corporate governance (figure 1).

Figure 1—Definitions of Governance

Both have similar principles.

COBIT 2019 presents 6 principles for a governance system:

1. A governance system is required to satisfy stakeholder needs and to generate value from the use of I&T. To create value, the enterprise must balance benefits, risk, and resources, and develop an actionable strategy and governance system.
2. Several components build a governance system. They can be of different types and must work together in a holistic way.
3. A governance system should be dynamic: If one or more of the design factors have changed (e.g., a change in strategy or technology), the enterprise must consider how this impacts the EGIT system.
4. Governance and management activities and structures are different.
5. The enterprise’s needs should be used to tailor the governance system. To do this, a set of design factors for customizing and prioritizing the governance system components is used.
6. A governance system includes all enterprise functions, focusing on IT function and all technology and information the enterprise uses to achieve its goals.

It is possible to correlate the COBIT 2019 governance system principles with the IIA principles and concepts (figure 2).

Figure 2—Correlation of Principles

Both have similar components, which can also be correlated (figure 3).

Figure 3—Correlation of Components

Conclusion

COBIT 2019 recognizes that EGIT is part of corporate governance. Today, I&T are required resources for achieving enterprise objectives. IT governance and corporate governance cannot be applied separately. Both COBIT 2019 and the IIA Guiding Principles of Corporate Governance can be used to help the BoD and management to meet their responsibilities and create and maintain value for stakeholders.

Graciela Braga, CGEIT

Is a certified professional in enterprise governance of information and technology (EGIT) oriented to the achievement of enterprise and alignment goals. She has worked on audits and reviews for public and private entities using international frameworks such as COBIT, Committee of Sponsoring Organizations of the Treadway Commission (COSO) and ISO standards. She is an author and researcher on governance and management of I&T in various media, including the ISACA^® Journal and COBIT Focus. Braga is a leader of ISACA’s COBIT and Frameworks Community. Also, she was a global guidance contributor to the Global Technology Audit Guide (GTAG) Auditing IT Governance, 2^nd Edition, published by The Institute of Internal Auditors (IIA). She can be reached at http://www.linkedin.com/in/graciela-braga-13279b58.

Endnotes

¹ ISACA^®, COBIT^® 2019, USA, 2018
² The Institute of Internal Auditors, Neel Corporate Governance Center, University of Tennessee, Guiding Principles of Corporate Governance, USA, 2019
³ ISACA, COBIT^® 2019 Framework: Governance and Management Objectives, USA, 2018
⁴ ISACA, COBIT^® 2019 Framework: Introduction and Methodology, USA, 2018