Skip to content

COBIT 5 to demonstrate accountability

Challenges exist to statements of accountability to test the trust-relationship between business and stakeholders.  Depending on the stakeholder, demonstrations of accountability will vary but all aim to prove trustworthiness, the combination of honesty, competence and reliability (source: Robert Phillips at a seminar of the 20th June 2017 on “Rebuilding Trust in Business”, hosted by the Financial Reporting Council.

The proof-mechanism is through accountability and its complement, responsibility.  Responsibility is attached to the person designated for achieving something, who then becomes accountable for explaining why and how things were decided and done.  This occurs in every role, from the chairman to the doorman, and the sum of these is used to rate the firm’s trustworthiness.
For practical application, I define accountability as the crème de la crème assurance piece.

With assurance, all aspects of the organisation are assessed, with opinions provided on each aspect, supported by complete and comprehensible evidence.
This approach makes COBIT the perfect tool as its origins are in assurance.  COBIT 5 is the crème de la crème tool because it is an enterprise-wide governance framework, covering all organisational aspects.  Any review using it will provide the evidence to support claims on how well a business has performed to meet obligations and objectives.

  1. Here is a 9-point approach for firms to achieve demonstrable accountability.  All sources come from COBIT 5 for Assurance, identifiable in italics, unless otherwise stated.
    1. Boards (which covers senior partners and key decision-makers too) must understand the benefits of COBIT 5.
      Have a look at page 11.  The first point under “Drivers for Assurance” states that “[assurance provides] interested parties substantiated opinions on governance and management of enterprise IT according to assurance objectives”.
      Boards must define the starting point and the end game in terms of accountability.

      a. Start with the level of understanding in the organisation.  If you don’t understand you cannot explain. Using cybersecurity as the example, if you want to demonstrate how well your cyber security policy is working, you need to prove there is a common understanding of what the causes and consequences of a cyber breach are and how best to respond to minimise impact.
      Have a look at Section 1, Chapter 3, and Section 2A regarding the depth and breadth of understanding required.

      b. For the cyber example, look at Appendix D2 on risk management and also at.
      Think about what is captured in the annual report.  This is formal story-telling at year-end.  It needs to be factually accurate and complete, which it cannot be if corporate understanding is poor.
      Refer to Section 1, Chapter 3 and the FRC’s requirements for strategic reporting.

  2. Examine the corporate framework, such as strategic and cultural approach, and the technical and behavioural responses.
    Build on the FRC’s strategic reporting requirements and look at Section 2A, Chapters 4 and 5.
  3. Demonstrate that the basics for risk management and control have been covered: act to protect by developing knowledge and learning alongside building experience.
    See Section 2A, Chapter 4.
  4. Explain the structure and quality of accountability offered by each department, the risk and compliance teams, the risk committee, internal and external audit, the audit committee and the board.
    Look at ISACA’s approach.
    Refer to Section 2A, Chapter 4, Section 5.
  5. Share how the firm will deal with changing legal and regulatory requirements.  Taking the General Data Protection Regulation (GDPR) as the example, explain: how the firm keeps track of all information; how processes, systems and data centres are subject to regular adequacy reviews; and how all major and critical gaps are addressed.
    Help on the basics can be found in “CYBERSECURITY EXPOSED: The Cyber House Rules”, Meeuwisse R, 2017, Cyber Simplicity Ltd., ISBN 978-1-911452-09-6
    See Section 2A, Chapter 6.
  6. Explain how assurance over the collective behaviour and performance by all employees is measured by the senior executives and internal and external auditors to ensure outcomes are as intended.
    Look at Section 1, Chapter 3 and Section 2A, Chapter 8.
  7. Check that the assurances given internally are shared externally via the board or equivalents, and complemented by feedback from external agencies such as regulators and the relevant supply chains.
    Refer to Section 1, Chapter 3.
  8. Watch out for complacency, indifference and ignorance masquerading as knowledge.
    Look at Section 2B, Chapter 4, Section 9.

Whenever accountability is modelled on a house of cards, it will collapse.  The UK supermarket chain, Tesco, did just that and the consequences were severe for stakeholders as well as the company:

09/03/17, Tesco to pay out nearly £10million to staff after payroll error
28/03/17, Tesco to pay redress for market abuse
28/03/17, Tesco to pay £129m penalty for accounting scandal
09/04/17, Tesco “buy one get none free” overcharging

Would COBIT 5 have prevented these?  The answer is ‘no’.  If people decide to deliberately misinform, they will do so regardless but, by applying COBIT 5 well, people at least internally have evidence of what is going on.  It will always be down to people whether they use that evidence to demonstrate accountability.

But COBIT 5 can support and maintain the virtuous circle of responsibility, accountability, sustainability and trustworthiness.  As it is a framework, its value relies on proper implementation.  Therefore, everyone needs a basic understanding of the COBIT 5 concepts, with those who use it understanding how to apply it.  Training people in COBIT 5 is a real investment in trustworthiness as it increases the overall professional capability of the firm.

The need for demonstrable accountability is here to stay.  Increasing cyber breaches are one example as to why.   Poor accountability equals untrustworthiness because it promotes the ethos of dishonesty, incompetency and unreliability.

Let COBIT 5 help your firm be trustworthy.

Posted in COBIT 5.

Tagged with .