COBIT Case Study: Coopers & Lybrand
ABSTRACT
Coopers & Lybrand in the Netherlands has 100 EDP auditors in computer assurance
services, many who already have in depth knowledge of COBIT and are putting it to use
for clients. For many clients we use the following phased approach:




Focus. Identify business drivers for IT and assess the level of business risks
involved with the deployment of IT.
Evaluate. Assess threats and vulnerabilities, identify lacking or inadequate control
measures and determine root causes.
Address control deficiencies. Agree upon action plans and apply internal control
improvements.
Monitor. Ensure continuous improvement through the implementation of
adequate monitoring of the internal control measures put in place.
A unique benefit of COBIT is that Information Technology Infrastructure Library (ITIL)
is one of the global standards on which COBIT is based. Developed in the UK, ITIL is
popular in many countries. In the Netherlands, auditors who are members of ITIMF.EDP,
an ITIL user group, frequently are asked to audit IT processes created using ITIL
publications. COBIT provides an excellent framework to perform these audits.
BACKGROUND
We have implemented COBIT for several Coopers & Lybrand clients and are strong
supporters of the framework. Our staff uses it to develop improvement programs for
client IT departments. The detailed control objectives help us better assess client systems
management processes.
PROCESS
Examples of how COBIT was successfully used in business situations include:
Airline company. The client asked us to measure effectiveness and efficiency of its IT
department. We first measured user satisfaction and, after analyzing the findings,
performed a detailed review of IT processes based on COBIT guidance. As a result,
procedures in the IT department were significantly improved.
Network services supplier. A network provider implemented systems management
based on ITIL. We were asked to perform a third party review and report the results to
clients of the provider. Our staff used the COBIT framework to perform the audit.
Not-for-Profit. Based on COBIT's principles and ITIL we conducted an improvement
program for the IT department.
Chamber of Commerce. Several mergers and significant business changes had affected
the organization's IT environment. We used the COBIT framework to implement an
appropriate improvement program.
Bank. A Dutch bank asked us to document baseline controls for several platforms. We
described baseline controls for RS/6000, Windows NT servers and several network
components. For the systems management part of the baseline controls we consulted the
detailed control objectives from COBIT.