DISCUSS THIS ARTICLE
COBIT and the CPA Firm, Part 2
R. Curtis Thompson, CISA, CPA, CITP
COBIT Focus | 23 February 2015
®
Last year, part 1 of this article outlined how CPA firm Yount, Hyde & Barbour was using COBIT to help build
processes to allow its IT department to better serve the enterprise’s needs. While progress has been slow, the firm
has seen improvements due to its implementation efforts.
A mid-sized regional accounting firm with 18 shareholders and 140 employees, the enterprise has 6 locations—1
th
recently relocated and a 7 location planned for inclusion in first quarter 2015. The staff is to be very mobile with at
least 20 people working remotely or at a client’s location at any given time. Given these conditions, there is a
complexity to the IT function that is greater than the size of the organization would suggest.
The firm looked to use COBIT to organize the IT function using a framework to create efficiency and meet the needs
®
and expectations of stakeholders. Using the 7 phases outlined in ISACA’s COBIT 5 Implementation, the firm began
by identifying the drivers. The 3 major drivers identified were:
 A general disconnect existed between IT and the needs of the professionals.
 IT spending, while within budget, did not align with firm needs.
 IT expectations and demands among the firm’s shareholders varied.
Based on the 7 phases of the implementation life cycle defined in COBIT (figure 1), the firm determined that while it
was progressing with phase 2 (Where Are We Now?) and phase 3 (Where Do We Want to Be?), it continued to
struggle with these. Further, the 3 drivers identified as the biggest issues are interrelated with the same issue: the
IT department does not understand the needs of end users. This disconnect causes the IT department to spend
resources in areas that do not address the real needs of users. The IT department feels a need to satisfy the leaders
of the firm (the 18 shareholders), but sometimes at the expense of the needs of the firm as a whole.
Figure 1—The Seven Phases of the Implementation Life Cycle
1|Page
Source:
®
COBIT 5 Implementation , 2012
Figure 2 illustrates where the firm needs to be. It defines the segregation of governance and management and
illustrates where most of the firm’s issues have been.
Figure 2—COBIT 5 Governance and Management Key Areas
2|Page
Source:
®
COBIT 5, 2012
This diagram illustrates that business needs should flow through the governance function so that the needs can be
evaluated and passed on to the management side to plan, build and run. The problem the firm has is that business
needs often flow directly from the management side and, therefore, begin at the build and run steps. With this
scenario, resources are spent on the problems that management sees and little is done to evaluate whether these
are the best places to spend the resources or to plan projects properly. Because the governance role is bypassed,
projects are usually implemented inefficiently and, in too many cases, fail to meet expectations.
The firm performs IT audits for a large number of clients. Most of these clients are small (less than 500 employees)
with limited IT staff and, generally, no one in a chief technology officer (CTO) type of role. The firm’s management
determined that it should be a leader and use COBIT as the model to implement a governance and management
structure, thus offering it and its clients an example of COBIT use. Small companies face the same risk management
and governance concerns as larger companies.
Small companies face the same risk management and governance
concerns as larger companies.
The biggest challenge the firm faces is that it is a professional services company and, therefore, the leaders of the
firm are also responsible for client services. The firm must fulfill the needs of its clients and, therefore, internal
needs are sometimes not given the priority that they require. Due to the size of the organization, the firm has a
single role, the technology principal, within the IT structure spanning both governance and management. This role
is responsible for governance of the IT function, but when major projects are underway or numerous staff members
are working remotely for clients, this role may be called upon to help with day-to-day tasks of the IT department. As
an IT auditor with experience in network administration, the technology principal has the knowledge and
background to step in when needed.
3|Page
These issues made the firm step back and ask the question: Can COBIT really be of any value in developing the
processes needed in a small company?
The answer it found is simply that COBIT is a valuable tool that should be used with the understanding that it will
take some scaling. The firm’s COBIT implementation will not be the end goal, but rather the paradigm through
which it will develop and evaluate the firm’s processes.
To illustrate this, one process (BAI01) can be used as an example. BAI01 Manage programs and projects is described
as, “Manage all programs and projects from the investment portfolio in alignment with enterprise strategy and in a
coordinated way. Initiate, plan, control and execute programs and projects, and close with a post-implementation
review.”
One of the issues the firm needs to address is managing projects so that they meet the end users’ needs.
The first consideration is who will be responsible for this? The Responsible, Accountable, Consulted and Informed
(RACI) chart lists 26 roles to assign the practice. Obviously, not every company has all of these titles, but in small
companies, even fewer of these specific titles exist.
The firm has employees with responsibility for significant roles similar to most of these positions, but their time is
shared with other responsibilities, including client services. So, this is the first modification to the COBIT
implementation process for the firm. Responsibility and accountability are assigned, and those who should be
consulted or informed are determined. The firm broke down the roles as board member, firm administrator,
human resources, IT principle and IT manager.
As an accounting firm, staff members are very comfortable using metrics. However, the metrics suggested in COBIT
5 and its related products did not fit the firm’s size. The IT-related goal of Alignment of IT and business strategy shows
a related metric as the percent of enterprise strategic goals and requirements supported by IT strategic goals. The
leaders of the firm are also the owners of the firm (shareholders/principals). They work together to develop
strategic goals. Therefore, the IT strategic goals are developed at the same time as the goals for the firm as a whole.
A good substitute metric for the firm would be the number of projects started that align with the strategic goals.
One of the biggest challenges in an IT project is BAI01.03 Manage stakeholder engagement. When stakeholders have
client responsibilities and fiscal metrics to achieve, maintaining engagement is difficult. In a smaller organization,
identifying stakeholders is a relatively easy task. Keeping them engaged is much more difficult. Communication is
critical, but other responsibilities interrupt timely discussions and decisions. In the end, there are 18 shareholders,
all with varying expectations and levels of involvement. However, they all must be comfortable with the results.
While these issues exist in companies of all sizes, the lack of human capital in a small company is more evident
when trying to establish controls, processes and plans as they are described in the COBIT documentation.
Where Are We Now?
A fair analysis of the firm’s progress would be to say it continues to work through phase 2 to phase 3 of
implementation. The COBIT process has addressed several of the concerns that drove the firm to begin this project.
The firm has implemented strategies that allow better communication between the end users and the IT
department, better aligning IT staff’s efforts with the needs of the organization. The firm’s strategic goals are
becoming more defined and correlation to IT strategies is more evident. While the segregation of governance and
management continues to overlap due to the firm’s size, there is recognition of the processes being uniquely
different.
What the firm has accomplished has been to identify the key processes within departments, and it is currently
working on assessing risk so that IT processes better support these processes and align resources based on this risk
assessment. Most important, the firm has opened dialogue to better integrate IT in the business.
4|Page
While the firm still has continued implementation of COBIT as a goal, it will never be able to say the COBIT
processes are fully implemented. However, it is certain that the firm has made great improvements to its processes
by using COBIT as a framework. Implementation of COBIT is the destination, but whether the firm arrives is
irrelevant. Great improvements have occurred because of the journey.
The firm has put into place more definable processes and has aligned processes with the business goals. Through
discussions to develop where it wants to go, IT has a better understanding of the business goals and, more
important, the shareholders and staff better understand that IT can better serve them when they communicate
their goals. Through the use of COBIT 5, IT has become less of a silo and more integrated and pervasive in the
business.
When one has a goal in mind, it is critical not to ignore the accomplishments along the way. In this case, the firm has
been looking to build better IT systems and processes to improve the company as a whole. It is accomplishing this,
and in addition, the firm has succeeded in focusing the IT department on alignment with the goals of others and the
staff is more aware of how important it is to communicate with IT.
R. Curtis Thompson, CISA, CPA, CITP
Is a shareholder at Yount, Hyde & Barbour, PC, a regional CPA firm. His practice is focused on technology and
internal controls services for various industries with a concentration in financial institutions.
5|Page