The Core Structure of COBIT 2019
COBIT 2019 organises IT governance and management around forty governance and management objectives, grouped into six domains. The framework separates governance objectives (in the "Evaluate, Direct, and Monitor" domain) from management objectives (in the remaining five management domains: "Align, Plan and Organise"; "Build, Acquire and Implement"; "Deliver, Service and Support"; and "Monitor, Evaluate and Assess").
This separation between governance and management is conceptually important. Governance involves the evaluation of needs, conditions, and options, setting direction, and monitoring performance and compliance. Management plans, builds, runs, and monitors activities to achieve the direction set by the governance body. The COBIT framework makes this distinction explicit — helping organisations understand that the board's role in IT governance is not to manage IT operations but to define direction, provide oversight, and evaluate performance.
Design Factors and Focus Areas
One of COBIT 2019's most significant improvements over COBIT 5 is the introduction of design factors — characteristics of the enterprise that influence how IT governance and management should be tailored for a specific organisation. Design factors include enterprise strategy, risk profile, IT-related issues, threat landscape, compliance requirements, technology adoption strategy, and the sourcing model for IT.
The design factors feed into focus areas — specific governance topics that require particular attention in the organisational context. COBIT 2019 includes several defined focus areas, including cybersecurity, DevOps, cloud computing, and privacy, each of which comes with specific guidance on how the governance and management objectives apply in that context.
This tailoring mechanism makes COBIT 2019 significantly more practical to implement than its predecessors. Rather than applying the full framework uniformly, organisations can identify the design factors that characterise their situation and use these to prioritise the governance and management objectives most relevant to their context.
Using COBIT 2019 in IT Audit
COBIT 2019 provides internal auditors with several valuable audit tools. The governance and management objectives function as audit criteria — defining what effective IT governance and management looks like and against which current practice can be assessed. The process activities and practices within each objective describe the specific things that should be happening; auditors can test whether these activities are actually occurring.
The capability levels defined in COBIT 2019 (based on the CMMI scale from 0 to 5) allow auditors to assess not just whether a process exists but how mature and effective it is — providing a nuanced picture of where governance and management practice stands relative to the standard and where investment in improvement would add the most value.
COBIT 2019's governance and management objectives are not abstract ideals — they describe specific, testable activities and practices. An IT audit structured around COBIT produces findings that are directly connected to governance and management standards, making them easier to prioritise and more credible to management and the board.
COBIT and the Audit Committee
One of the underutilised aspects of COBIT 2019 is its governance domain, which specifically addresses the board's and audit committee's role in IT oversight. The EDM (Evaluate, Direct, and Monitor) domain describes what the governing body should do to provide effective IT governance — from setting IT strategy and risk appetite through to monitoring IT performance and ensuring that IT delivers value relative to investment. Audit committees that are uncertain about their IT governance responsibilities will find COBIT 2019's governance objectives a valuable reference framework for defining their own oversight agenda.