COBIT/IT Governance Case Study: Honorable Tribunal de Cuentas of the Province of Mendoza, Argentina
After undergoing an evaluation process, the Honorable Tribunal de Cuentas of the Province of Mendoza, Argentina, determined that it needed to enhance governance over information technology to assure Mendoza residents that the management of public funds was well monitored and secure. Information systems experts within the Honorary Tribunal recommended Control Objectives for Information and related Technology (COBIT) because it is an internationally recognized and accepted standard for good IT governance practices. The Tribunal management adopted COBIT and required every public entity in the province to comply with it.
The 200-employee Tribunal de Cuentas was created in 1916 by the Provincial Constitution of Argentina’s province of Mendoza to monitor the investments of public funds made by government officials, public powers, municipalities and any other person or entity that is involved with public income or cash flow. The Tribunal is directed by a president and four top leaders known as vocals.
Over the past 70 years, members of the Tribunal de Cuentas have continued to undergo increasingly advanced training to further develop their skills and adapt to technological, cultural and social changes. Though the Tribunal was formerly composed solely of accountants and attorneys, increasing technological complexity resulted in the recruitment of professionals in other critical disciplines, including information systems engineers and analysts.
To continue fulfilling its mission of protecting public funds, the Tribunal recognized that increased governance over information technology was required.
The Tribunal is extensively involved in self-review and assessment of its processes and management techniques. Through close evaluation it determined that it needed to enhance governance over technology to comply with its constitutional mandate to ensure its efficient control over the management of public funds.
The Honorary Tribunal is responsible for developing or adopting standards and norms for the control of its information systems and related technologies. After a thorough review and analysis of options available, information systems experts with the Honorary Tribunal recommended COBIT to Tribunal management. COBIT was viewed by Tribunal management as an applicable and accepted standard for good IT governance practices, and they promptly adopted COBIT and required every public entity in the province to comply with it as well. Main factors leading to this decision were COBIT’s strengths:
It is an internationally recognized framework that allows for the standardization of criteria regarding controls over IT.
Its framework supports the opinions of IS auditors in the review of IT processes. It provides senior management with:
A reasonable assurance that the corresponding control objectives are being achieved
Identification of where the weaknesses are in such controls
Justification of the risks that can be associated with such weaknesses
Executive guidance about the corrective measures that should be adopted
It is a framework for the preparation of specific audit plans and programs.
COBIT benefits the residents of Mendoza because it facilitates access to public information in a more orderly, precise, secure and timely manner, which allows for greater democratic participation.
Overall, COBIT enables the Honorary Tribunal de Cuentas to quantifiably evaluate the status of its information systems, which allows for better governance over those systems. This continues to be important because the Tribunal is committed to complying with the internationally recognized ISO 9000 standards, which offer confidence to third parties about the service provided by an entity. In complying with these standards, the Tribunal developed a mission to:
A) Develop the control of the public funds management, with moral integrity and criteria independency, in an environment of respect for the law, the republican institutions and the people
B) Promote necessary changes that allow an optimal use of the capacities and abilities of all members, through collective and personal efforts, to accomplish a timely, effective and efficient control structure
C) Encourage the community to perceive each action of the members of the Tribunal as a contribution to the transparency of public funds management
Following the adoption of this mission, the Tribunal conducted a series of exhaustive awareness, motivation and training sessions for all members. They analyzed all processes executed by the Tribunal and discussed ways to identify, restructure, correct, adapt, eliminate, create and modify existing procedures to become standardized. After an intense effort, the group developed working procedures, which became the Quality Manual of the Tribunal de Cuentas of the Province of Mendoza. This led to the formation of a group of internal quality auditors to control the process that had been initiated.
To request the certification of the quality assurance systems under ISO 9002, a qualifying organization was selected—SGS International Certification Services Argentina S.A., a member of the SGS (Société Genérale de Surveillance) Group headquartered in Geneva, Switzerland. After several years work, the team achieved certification of the ISO norms, which implies that the quality systems of the Tribunal is in compliance with the quality norm 9002, in respect to the control of public accounts and judgment of accounts of the Province of Mendoza.
As a result, the Tribunal de Cuentas was transformed into the first public entity in Latin America to have all of its procedures ISO 9000 certified.
By adopting the comprehensive framework of COBIT, the Honorary Tribunal has ensured improved management of public funds and governance of information systems.
The implementation of COBIT translates into benefits for the community of Mendoza because it facilitates understanding and control of the actions of the government. The basic services that need to be provided by the government to the citizens are enhanced when an efficient IS portfolio is managed, minimizing unbalanced and silo development and duplication of efforts. This is made possible because the basic criteria that information should have, and the controls to attain these criteria, are provided.
COBIT allows a better control of IT investments and their appropriate use, individualizing the associated risks and controls implemented. COBIT enables this by requiring strategic planning for IT, IT investment management, project management and risk evaluation. COBIT also enables better identification of processes that strongly support the most important services provided by the government, including security, health, justice and education.
Overall, the adoption of COBIT and its related maturity models is enabling the Province of Mendoza to have a quantifiable evaluation of the status of its IT, and its ability to effectively govern IT. This allows the planning of actions to achieve maturity values that enable true governance over information technology.