COBIT resources should be used as a source of best practice guidance. Each of the following is organized by IT management process, as defined in the COBIT Framework. COBIT is intended for use by business and IT management, as well as IS auditors; therefore, its usage enables the understanding of business objectives, communication of best practices and recommendations to be made around a commonly understood and well-respected standard reference. COBIT includes:

• Control Objectives – High-level and detailed generic statements of minimum good control
• Control Practices – Practical rationales and “how to implement” guidance for the control objectives
• Audit Guidelines – Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met
• Management Guidelines – Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors

COBIT Framework states, “It is management’s responsibility to safeguard all the assets of the enterprise. To discharge this responsibility as well as to achieve its expectations, management should establish an adequate system of internal control.”

COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment specifically focused on:

• Performance measurement – How well is the IT function supporting business requirements?
• IT control profiling – What IT processes are important? What are the critical success factors for control?
• Awareness – What are the risks of not achieving the objectives?
• Benchmarking – What do others do?
• How can results be measured and compared?

COBIT Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.

COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT information criteria.