With the increased use of IT within organizations there is a need to develop mechanisms that help management to satisfy the reliability, availability and security requirements for the information they produce, transmit and store. Moreover, with the amount of investments in IT becoming more complex and riskier, management should learn to administer their organizations’ IT resources in terms of infrastructure, applications, information and HER.
For this to occur, there needs to be an adequate understanding of the organization’s IT architecture and have a defined IT governance unction. To support management in addressing these needs, a number of different frameworks are being used to evaluate the IS function. A popular framework is the Control Objectives for Information and related Technology ([email protected]). Cubit is a framework that was originally designed to be used as a benchmark for best control practices by the Information Technology Governance Institute.
The framework offers best practices through a ‘domain and process’ structure that is easily manageable. In the following paper, the Cubit framework will be reviewed including a description of TTS main features and how it supports management with IT governance. Furthermore, the article will assess some of the main benefits offered by Cubit. Finally, it will compare Cubit with another popular framework used for IT projects, the MAMBO, in terms of purpose, structure and advantages.
The Need for a Framework As the IT function has continued to expand and has gained a prominent role within organizations, there are pressures from different stakeholders including regulatory bodies, customers, and suppliers, among other, to have standardized control mechanisms which make IT comprehensible and manageable. According to Tuttle and Vanderbilt (2007), due to the Serbians-Solely Act of 2002 and the release of the Public Company Accounting Oversight Board’s (POACH) Auditing Standard No. 2 (ASS) in 2004, organizations have started to rely on frameworks more and more.
Among some of the most commonly referenced frameworks, one can identify ITIL, Prince 2, MAMBO, ISO 20000, ISO 27000, TOGA, AVAIL and cubit. The frameworks are used as a guide to design internal controls that are comprehensive and reliable when objectives, there needs to be a control framework that conceptualizes the main treasures of internal control inside an IT context in a logical and understandable way. It is within this context that Cubit emerged as a recognized control framework which is supplementing the Driveway Commission’s Committee of Sponsoring Organizations (COOS) evaluation framework (Tuttle and Vanderbilt, 2007).
While COOS has been used mostly as the basis for management evaluation, at the international level organizations are supplementing their control standards for the ones offered by Cubit (Tuttle and Vanderbilt, 2007). The reason for this is that unlike Coco’s five categorized components, Cubit is founded as a process model arranged using a ‘system life cycle approach’ which has four primary domains: ‘Plan and Organize’, ‘Acquire and Implement’, ‘Deliver and Support’ and ‘Monitor and Evaluate’ (Tuttle and Vanderbilt, 2007).
Each domain contains precise processes which enable organizations to meet their IT control objectives. Additionally, each control objective is complemented with auditing procedures for each of the processes. Tuttle and Vanderbilt (2007) believe that one of the main advantages of Cubit is that control objectives are on one hand explicit enough that they can be straightforwardly implemented, and on the other hand general enough to be adaptable to different types of audits. In the following section, the Cubit framework and its main characteristics will be described.
Meeting Internal Control Objectives: The Cubit Framework One of the major problems related to IT is the fact that the IT function tends to operate isolated from the business components, providing technological support instead of enabling more efficient processes, solving information issues or creating new opportunities. Some of the reasons for such apathy towards IT include the perceived risks of depending on systems that are not understood, differences in engages, metrics and goals, or fear of losing control over the value-generating processes.
Considering these issues, Cubit emerges as a tool that can be used to create better control over IT. The framework states that for IT to properly deliver against the business needs, there should be an internal control system that allows management to determine the links between IT and business requirements, align IT into the existing processes, and leverage better IT investments. Another management need that has been identified is the increasing pressure for more transparency about the real costs, value and risks of IT.
Cubit tackles this problem by setting the basis for the establishment of a solid IT governance structure with defined goals and metrics to measure the performance of IT. The model recognizes the importance of performance measurement by ‘setting and monitoring measurable objectives of what the IT processes need to deliver, and how to deliver’ (IT Governance Institute, 2007). Furthermore, Cubit’s process model represents processes which are identified in the IT function, providing a reference model that is easy to understand.
The Cubit framework departs from the principle that states: “to provide the deeds to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information” (IT Governance Institute, 2007). The key distinguishing features of Cubit involve the management and control of information and making sure that it is aligned with the business. Given these features, it is evident that information is the element Cubit focuses the most on.
For this reason, the framework has seven specific and overlapping control criteria defined by Cubit as ‘business requirements for information’ which are: effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability (IT Governance Institute, 2007). In essence, the criteria ensure that information is being created, transmitted, delivered and stored in appropriate conditions and that those who need it, have access to it on time and at a low exposure risk, and generating value to the business. Another important characteristic of Cubit is the provision of a definition for what they call ‘IT Resources’.
Here, the main resources identified are applications (systems and procedures that recess information), information (data in all forms processed by applications), infrastructure (technology and facilities that support applications), and most important, the people (internal and external personnel managing the IS) (IT Governance Institute, 2007). Another emphasis that Cubit gives is to the definition of business and IT goals. According to the IT Governance Institute (2007), having generic goals generates a refined basis for establishing the requirements and metrics that will be later used to assess the goals established.
Intertwined with such objectives there should also be a benefiting of IT goals that determine IT resources and capabilities that will be required to successfully execute the organization’s strategy. In order to better align these goals and ensure understanding from both sides (business and IT), the goals need to be expressed in business terms. Aside from being business-focused, Cubit is also process-oriented meaning that IT activities are defined in a cycle-model that involves four interlinked domains previously mentioned (plan and Organize’ [POI, ‘Acquire and Implement’ [AY], ‘Deliver and Support’ [ADS] and ‘Monitor and Evaluate’ [ME]).
The purpose of these domains is to map the responsibility areas of IT. Having such integrative model together with a common language facilitates the establishment of good IT governance and ensures that the control aspect is included . Another advantage of this model is the ease to assign processes and responsibilities which leads to better accountability and ownership among the people involved in managing the IT function.
The Control-based Advantage The IT Governance Institute (2007) defines control as “the policies, procedures, practices and organizational structures designed to provide reasonable assurance hat business objectives will be achieved and undesired events will be prevented or detected and corrected”. On the IT side, this meaner that IT control objectives dealing with IT processes. These controls include a set of actions, practices and structures which help to increase value as well as reducing risks that oversee business and IT objectives, and track their progress, correcting any issues found throughout the way (IT Governance Institute, 2007).
By organizing all the IT activities into structured processes which are carefully controlled by operational managers, he framework defines the connections between IT governance requirements, the processes and the established controls (IT Governance Institute, 2007). Furthermore, the IT processes have detailed descriptions linked to associated control objectives. These control objectives are recognized by a two-character domain reference (POP, AY, ADS and ME)’ together with a process number and a control objective number.
Besides the specific control objectives, there are other generic control requirements that should be met by all processes (IT Governance Institute, 2007). The benefit of this organized structure is that Cubit offers control objectives specified for each process facilitating the controlling role by knowing what variables to measure. Moreover, there are specific benefits from monitoring processes closely. For instance, effective controls can help to manage risks better and set policies to accept, transfer and mitigate them depending on the type and likeliness of the risk.
They also improve value delivery through efficient management of IT resources, reducing the number of errors committed and having consistent performance measures and management practices (IT Governance Institute, 2007). Cubit provides examples for the generic processes and guidance for assigning roles and responsibilities using RACE charts for each process. In the model, responsibility is attributed to the person who actually does the Job (IT Governance Institute, 2007). The ‘enterprise’s system of internal controls’ described by Cubit has impacts at three levels.
At the executive management level, all the high-level decisions are made in order to organize the resources that the organization will employ to execute the corporate strategy. This governance approach has to be communicated throughout he enterprise to ensure that all participants are in the same page. Secondly, at the business process level, the controls defined are applied to the business activities. Application controls are those that are assigned for automated processes, and hence are automated too. (IT Governance Institute, 2007). Other controls will be remain manual and under supervision of specific users.
These controls have to be defined by the business side but the controls require participation of the IT function to provide support in terms of design and development (IT Governance Institute, 2007). Finally, t the IT service level there are IT processes which provide general support and hence include IT general controls. These controls are essential in order to establish reliance on the application controls. Cubit suggests that the responsibility for application controls should be an ‘end-to-end Joint responsibility between business and IT’, although the model goes beyond to assign specific roles to business and to IT.
For instance, the business side should take care of defining the control requirements and utilize the automated services, while the IT side should automate and implement equines and control requirements, and maintain the integrity of application controls The Generic Maturity Model Senior executives are expected to understand and measure the performance of IT. However, given the evolving nature of IT and its complexity businesses need to improve their assessment systems and look for better benchmarking tools.
Given this issue, Cubit offers maturity modeling to provide generic profiles of the different stages that organizations go through as they develop management and control over their IT processes (IT Governance Institute, 2007). The reason for this is to evaluate he organization from a maturity level from ‘non-existent’ to ‘optimized’. The approach, although derived from the Software Engineering Institute, differs in the way it offers a generic definition for the maturity scale for IT management (IT Governance Institute, 2007).
Each maturity level is prescribed as a profile of IT processes that an organization should identify at different stages. Cubit describes a maturity assessment through which management can identify the conditions that are relevant for each level and hence understand the current level of their organizations ND what they require to move to the next stage (IT Governance Institute, 2007). The maturity models offer a number of advantages for managers such as recognizing the actual performance of the enterprise, the targets to improve and the path of growth (IT Governance Institute, 2007).
Another advantage of maturity modeling is that it is easy to apply and appreciate the requirements that are involved in performance improvements. Management can use these models to measure how well developed management processes are, including IT defined objectives. During the assessment, the level of management maturity is directly proportional to the organization’s dependence on IT and the value of its information (IT Governance Institute, 2007).
Nevertheless, Cubit recognizes that coverage, the depth of control and how capabilities are used are cost-benefit decisions assigned to management (IT Governance Institute, 2007). Although higher levels of maturity can represent higher levels of control, the organization will still have to assess the value and risk drivers in order to determine the control mechanisms to use. Furthermore, Cubit suggests that the appropriate control environment will be reached when the three aspects of authority (capability, ‘coverage’ and ‘control’) have been considered (IT Governance Institute, 2007).
Finally, Cubit argues that as maturity levels are improved, the risks are reduced, leading to less errors, processes meeting expectations and more efficiency. Overall, Cubit is an integrative, control-based tool that offers a governance framework to better manage the IT function within organizations. The process structure offered by Cubit is an innovative way of providing comprehensive and cyclical view of the major decisions that define the role of IT. It is clear that from such Truckee, there can be a better alignment of IT and business due to the mutual participation of both parties in IT decisions.
This leads to better understanding of the IT function from the business side and clearer definition of roles and ownership over organization can better comply with external regulations hence satisfy the demands from other stakeholders and in the end maximize the utility of the IT function in the organization. Despite the advantages offered by Cubit, there are other useful frameworks that provide other advantages and can serve even as complementary lolls when managing the IT function. An example of this is the MAMBO offered by the Project Management Institute.
In the following section, the MAMBO will be briefly described, including some of the advantages it offers. Moreover, it will be compared with Cubit in terms of some of their similarities and differences. The Importance of Project Planning: MAMBO With the increasing trend of micro-management and the attention given to projects, organizations are seeking ways to manage these projects in structured, consistent and controlled ways that help to measure and improve the probability of meeting targets.
This need has given rise to the field of project management which is mostly dedicated to study the best practices to plan, execute and monitor projects in organizations. There are numerous sources of knowledge and frameworks that support the practice of project management such as the International Project Management Association, the Office of Government Commerce, or the Project Management Institute, among other (Ezekiel, 2009). The MAMBO is one of the most popular project management guides that contains nine ‘Knowledge Areas’ that should be considered throughout the project life (as cited in Ezekiel, 2009).
A major limitation with the MAMBO which Ezekiel (2009) identifies is the fact that applying all the processes it contains requires time and time is one of the major constraints that project managers have. For this reason, project managers tend to choose only some of the processes which they are familiar with or that they may find relevant to the project at hand (Ezekiel, 2009). This, to some extent, defeats the purpose of having the ‘Knowledge Areas’ which are designed to improve the likeliness of project success.
Another limitation of the MAMBO is that it does not define the importance of ACH of the ‘Knowledge Areas’ which may misguide their use. Having such information could help project managers to improve their decision-making regarding the time and other resources allocated for each ‘Knowledge Area’ and their associated processes (Ezekiel, 2009). The main purpose of the MAMBO is to establish good practices that support the planning phase, the backbone, of any project.
The goal of the this planning phase is to prepare the structure that will guide the execution of the project and control. This phase could actually be considered one of the success factors for the entire project (Ezekiel, 2009). Project planning sets the direction, providing enough detail, so that the entire project team understands what is being done, why it is being done, when it should be done and the resources that should be used to ensure that the deliverables meet expectations (Ezekiel, 2009).
By adopting adequate planning practices, Ezekiel (2009) argues that organization can perceive the following benefits: 1) reduce the level of uncertainty, 2) improve the efficiency of the operations, 3) monitoring and having better control of the project’s variables. Furthermore, given the project manager dependence on some stakeholders such as the project sponsor s well as the ultimate customer or beneficiary of the project, the project manager needs to provide a detailed and reliable plan in which the stakeholders views and needs are communicated and how these needs will be satisfied (Ezekiel, 2009).
Referring in more detail to the different project areas, the MAMBO involves 42 processes, including 20 which are only planning (around 48% of the entire project) (Ezekiel, 2009). The nine knowledge areas that the MAMBO studies are: integration, time, scope, HER, cost, risk, quality, communications, and procurement. The use of each of this areas will vary depending on the industry, the project management office, and even the culture. According to Ezekiel (2009), the knowledge areas that will contribute the most to project success since early in the planning phase are ‘Time’, ‘Risk, ‘Scope’, ‘HER’ and ‘Integration’.
The schedule is the area which has the major impact on project success given that it provides the timeline of events and the deadlines that the project team should be aware of in order to avoid overextending the project which tends to result in additional costs (Ezekiel, 2009). The literature sustains that scheduling techniques such as the critical path method were the first lolls available for project managers and they are tools that are included in every project management software package (Ezekiel, 2009). The second most relevant area is ‘Risk.
Having a risk plan that identifies the major risks, the project task that will generate the risk, the probability of occurrence and the impact it will have over the project, are essential components that should be determined early in the project. Additional to this, project managers should define the ways they will manage and control risks. Action plans should specify whether risks will be accepted, transferred or mitigated. Establishing monitoring practices is also important since risks can develop and appear at different points in the project.
Finally, the scope statement is considered to be the this most important area during planning. The ‘Scope’ sets the boundaries of the project and specifies what the project funded should expect to receive by the end of the project. Furthermore, the MAMBO also contains four indexes that can help to measure project success. The first three, time, cost, project scope and quality, also called the ‘iron triangle’ in the literature, are directly associated the efficiency of the project management process (Ezekiel, 2009).
The fourth component is customer satisfaction and it is related to measuring the organizational benefits offered by the project (Ezekiel, 2009). Customer satisfaction measures the impact that the project has on the customer or in the business impact on the overall organization such as new opportunities created, etc. In contrast to Cubit, the MAMBO is more customer-driven given the dependence the project’s success on the perceived value from the side of the beneficiaries. For instance, sometimes project may meet all specifications but it ay not satisfy the needs of the customer or address the problem for which it was developed.
For this reason, communication between the project team and other stakeholders becomes a critical element during the planning phase. Process that enables project managers to carry out their projects and understanding the determining factors that require attention in order to guarantee project success. Moreover, the MAMBO is constantly updated with new standards and best practices coming from a broad range of sources including project managers and project management offices from different organizations and industries, consulting firms, ND research institutes, among other.
Having all these sources of knowledge available allows for the fast development of new and better project management practices and tools that automate process, reduce the levels of risk and improve resource management. Finally, the MAMBO contains not only detailed processes but it also offers a series of tools, some more complex and costly than others, which project managers can implement in order to improve their planning and assess the performance of the project. Despite the some of the benefits offered by the MAMBO during project planning, there are also some limitations.
According to Assassin (2010) the MAMBO tends to be based mostly on a “mechanical, monoclonal, monadic, linear structure and a discrete view of human nature and societies and their perceptions, knowledge and actions”. The process-based structure offered by MAMBO works on the basis of the Newtonian concept of causality. This meaner that the traditional conception of project management is not structured in a way that it can solve the complex challenges of current projects such as the adaptation of new technologies or the transition of some organizations from manufacturing to the services sector (Assassin, 2010).
To cope with these new challenges, project management has been evolving to give more attention to the HER area. This approach is becoming more ‘behavior-oriented’ and seeks to understand project management in terms of its ‘soft factors’ including interactions between stakeholders and changes of attitude throughout the project life cycle (Assassin, 2010). When comparing the MAMBO and Cubit one can identify several differences and similarities. The MAMBO is similar to Cubit in the way it is structured as a process- based framework with a cyclical life.
Both frameworks in their own terms, goals and objectives or scope statement, begin with the definition of a set of directions that determine what the application of the framework is trying to accomplish. Another similarity is that both models attempt to establish a structure that facilitates and provides consistency for decision-making processes. Although each model has its own language, both recognize the importance of integrating stakeholders, one expressing it as the alignment between IT and business and the other one expressing it in terms of having clear communication between the project team and the project fenders.
Moving on to the differences between the two frameworks, while Cubit has different audiences such as senior managers, auditors, IT executives, among other, the MAMBO is mainly targeted for project managers. Moreover, while Cubit’s approach to body dedicated to IT and its alignment with business; the Mambo’s approach to governance is more specific or project-based, offering a micro-level approach the construction of the decision-making for a determined project.
Moreover, the MAMBO gives great attention to the planning phase of projects so most of its processes and tools tend to be prescribed to be used early in the project. In contrast, Cubit is a control-based model that instead of focusing in execution, it concentrates on the post-implementation or established IT functions that require adaptation of governance structures and hence it involves major areas such as change management and task-monitoring.
Given these differing approaches, it could be argued that both Cubit and the MAMBO can be complementary frameworks. On one hand the MAMBO can be used as a reference framework for the planning and execution of IT projects. On the other hand Cubit can be referenced as the model used to implement governance and control mechanisms for the IT function so that IT ND business can be better aligned and hence retrieve more value from IT. In conclusion, the following essay has reviewed the Cubit framework and its different components.
Furthermore, it has compared the model with another popular framework, the MAMBO which is referenced mostly by project managers. As it has been reviewed, Cubit is a process-based approach following a complete life-cycle that is structured in four domains, offering control objectives and mechanisms for each process. Taking a control-based approach, Cubit emphasizes the need of monitoring risks and measuring performance in order to ensure that objectives are Ewing met and hence maximize the allocation of IT investments.