While searching for a comprehensive IT governance methodology, Curtin University of Technology, based in Western Australia, was introduced to COBIT (Control Objectives for Information and related Technology). After reviewing COBIT's framework for IT governance, the university's IS department general manager realized that COBIT would substantially increase acceptance and reduce time needed to implement its IT governance program. COBIT was a strong factor in the university's success in achieving its primary goals for IT governance-transform organisational practices and pursue improved processes.
With more than 31,000 students, Curtin University of Technology is Western Australia's largest university. Its main campus is situated in Bentley, six kilometres south of the centre of Perth, Western Australia's capital city.
Curtin offers more than 850 undergraduate and postgraduate courses in business, engineering, health sciences, humanities, science, mining and agriculture. Its internal structure is comprised of the Vice Chancellory (senior management and central administration) and Academic Divisions (schools and departments).
Curtin's Information Management Services (IMS) department supports the university's information and communication technology (ICT) infrastructure. It also is responsible for a variety of university application implementations and the provision of desktop ICT support services for staff of the Vice Chancellory. IMS provides a central help desk to address ICT infrastructure and computer problems.
Headed by a general manger, the IMS staff is composed of approximately 100 full-time-equivalent employees. The department is structured into four directorates:
Staff members of the Curtin University internal audit team learned about COBIT and, impressed with its content, brought it to the attention of the institution's IMS leadership. Leaders had been expressing an ongoing concern about IT governance, and, after careful review, senior committees resolved to adopt COBIT as a university standard.
Implementation began with university auditors using COBIT as a guide for formal audits of the central ICT organisation, also known as IMS. The IMS general manager at that time was enthusiastic about the COBIT framework's potential as a guide to improved practice, and gave support to the IMS quality and policy team. Soon after, multiple sets of COBIT were distributed to IMS senior management.
The IMS quality and policy team then initiated consciousness-raising exercises by presenting overviews of COBIT at quarterly all-staff meetings and IMS executive meetings. Team members used COBIT PDFs and text from the COBIT package to help illustrate and describe the information. On a short-term basis they also brought in a knowledgeable external auditing consultant to help further increase understanding of the COBIT IT management framework and its implementation.
All team leaders and appropriate key staff members were given a copy of the COBIT Control Objectives and Management Guidelines manuals. This helped raise COBIT's visibility and encouraged additional people to use the documents as references and resources.
The current IMS general manager has continued the enthusiasm surrounding the benefits of implementing the COBIT framework by supporting two successive years of audits/reviews of process performance based on selected COBIT objectives.
IMS has a small, largely self-directed quality/process improvement team consisting of two FTEs and a manager. This team performs the audits, which are more commonly now referred to as reviews since they are more a cooperative review/planning venture than an adversarial audit, and uses a clear methodology to gather data, consult on drafts and present reports. It also is actively involved with the university's internal audit team to ensure quality assurance of the work.
Starting in 2001, with the goal of fostering thinking about how IMS rated against the IT maturity scale, the IMS manager of quality and policy utilised his more than 20 years' experience and knowledge of the organisation to develop an estimate of IMS' maturity level against each objective. Geared as an empirical exercise, rather than a strictly scientific process, the resulting material was circulated to stimulate awareness of IT related issues, thoughts and reactions.
This pragmatic approach gave the team a strong head start in reviewing objectives and identifying a path for improvement.
Also in 2001, staff performed several reviews/audits using many measures from the COBIT Audit Guidelines. Although not all of the results were considered satisfactory, the findings enabled staff to develop initial strategies to improve the maturity of the audited objectives. Objectives to be reviewed were selected based on a composite of the initial maturity assessment, the view of senior staff and a desire to focus on an achievable number of areas for improvement. Then, later in the year, the staff assessed progress and reprioritised what was considered to be highly important.
Taking the next step, for 2002 Curtin University developed a new schedule of audits covering 12 objectives. Staff members are adopting an attitude that allows the results of an audit to serve as an opportunity to plan improvements, rather than focusing on results to censure a team. Based on reviews already completed, this process has proven to be extremely positive and beneficial.
Each COBIT audit has evaluated the current maturity level by comparing the director's evaluation with that of the function's stakeholders. The audit also reviews internal evidence to arrive at the maturity model rating. Each audit has been an educative and communicative exercise for operational staff and stakeholder clients.
In June 2002, a representative from the Curtin University internal audit department reported that they are finding marked improvements in maturity levels across the board as they perform detailed maturity level audits.
Three factors have been critical to the success of COBIT:
Since 2001, Curtin University of Technology has been using COBIT to self-audit its information communication and technology (ICT) practices and identify opportunities for improvement. Because every objective cannot be audited every year, IMS management annually selects the objectives most likely to offer the institution and its clients significant performance gains in response to audit findings.
IMS management believes that COBIT offers an economical continuous improvement framework. From this framework, staff can extract globally-standard approaches, self-auditing standards, best practices and nearly everything needed to guide the university's efforts to improve processes.
The COBIT framework is a useful tool to break through the myopia present in practices that have evolved over the years. It helps employees understand and accept that there can be improved ways of approaching their tasks and responsibilities. COBIT is an excellent value.
See attached comments from Internal Audit.
Leaders of the Curtin University of Technology's Information Management Services department (IMS) were seeking an IT governance methodology. When COBIT (Control Objectives for Information and related Technology) was introduced by the internal audit department, the IMS general manager realized that COBIT's framework would substantially reduce the time needed to articulate and implement the IT governance-related changes and improvements needed within IMS.
This introduction of COBIT to Curtin was a result of audit strategy and positioning. The resulting implementation arose in conjunction with an audit review of Curtin's strategic planning, which is based on the balanced scorecard. Since COBIT is compliant with the balanced scorecard, it fit well with internal strategy.
Working with corporate planners and IMS management, internal audit pushed for and achieved the adoption of COBIT by the university as its official IT governance methodology.
The next strategic step was to implement COBIT in IMS at the operational level. It was imperative that, although COBIT was introduced by internal audit, its implementation was driven by IMS. This approach greatly accelerated the implementation and acceptance rate.
Next on the strategic ladder was building an implementation mentoring and partnership relationship between internal audit and IMS. The IMS general manager became the driver of the COBIT implementation and a Process Improvement Team was facilitator and evaluator. The Process Team followed through in terms of control and process improvement. An additional positive result of this arrangement was that the partners developed templates for use in all audits.
During the COBIT implementation phase, internal audit secured the services of an external consultant who was knowledgeable about COBIT. This consultant helped introduce and explain the concept of COBIT to key IMS staff. Internal audit then worked in conjunction with the Process Improvement Team on several audits, working with respect to the audit plan, progressive interviews and audit work, as well as final reports. IMS subsequently adopted Project Management and listed COBIT as a project.
Practical observations based on internal audit's experiences include:
As COBIT implementation progressed and the skills of the Process Improvement Team staff improved, internal audit rapidly began to disengage in the audits and let the team assume the full audits.
Overall, the contribution of COBIT as a measure of success was tremendous. Compared to the outlay (in terms of manual), all processes were improved, some rising dramatically from level 1 to level 3 or 4.