GRC Case Study — 2026

COBIT-Based IT
Governance Gap Assessment

IT governance gap assessment of a healthcare technology company (1,200 employees, $200M revenue, 3 acquisitions in 2 years). 19 COBIT 2019 governance and management objectives assessed using maturity models. Findings mapped to COSO Internal Control principles. Prioritized recommendations for SOX readiness and enterprise risk management maturity.

View on GitHub Back to GRC

Engagement at a Glance

0 COBIT 2019 Objectives Assessed
0 Avg Current Maturity
0 Target Maturity
0 Control Gaps Identified

Assessment Timeline

Four-week engagement using COBIT 2019 maturity models and COSO 2013 internal control mapping.

Phase 1
Week 1
Phase 2
Weeks 2-3
Phase 3
Week 3
Phase 4
Week 4
Phase 1 — Week 1 Scoping & Data Gathering

Assessment Scope & Stakeholder Alignment

Define assessment scope, identify stakeholders, conduct executive interviews, review existing IT governance documentation and committee structures. Establish target maturity profiles aligned with business strategy and regulatory requirements.

Phase 2 — Weeks 2-3 Assessment & Analysis

Maturity Assessment & Gap Analysis

Assess 19 COBIT 2019 governance and management objectives against the 0-5 CMMI-based maturity scale. Evaluate EDM, APO, BAI, DSS, and MEA domains. Identify gaps between current and target maturity states across all objectives with supporting evidence.

Phase 3 — Week 3 Mapping & Recommendations

COSO Mapping & Prioritized Recommendations

Map all findings to COSO 2013 internal control principles across the five components (Control Environment, Risk Assessment, Control Activities, Information & Communication, Monitoring). Develop prioritized recommendations with cost-benefit analysis and ownership assignment.

Phase 4 — Week 4 Executive Deliverables

Executive Reporting

Board-ready executive summary with maturity scores by domain, detailed gap analysis, and a 12-month governance improvement roadmap. Includes risk heat maps, control deficiency register, and resource requirements for achieving target maturity.

Governance Maturity Analysis

Current vs. target maturity across COBIT 2019 domains and severity distribution of identified control gaps.

Maturity by COBIT Domain

Current maturity (2.1 avg) vs. target (3.5) across 5 COBIT 2019 governance domains

Gaps by Severity

13 control gaps identified: 3 Critical, 5 High, 3 Medium, 2 Low

Key Engagement Artifacts

Governance Assessment Scope & Planning

Detailed engagement charter with scope boundaries, stakeholder register, and assessment schedule

Maturity Ratings (19 COBIT Objectives)

Current vs. target maturity scores for each COBIT 2019 objective with supporting evidence

Gap Analysis Report (13 Findings)

Findings register with severity ratings, root cause analysis, and control deficiency details

Prioritized Recommendations (12 Actions)

Ranked remediation actions with cost-benefit analysis, owners, and target completion dates

COSO Internal Control Mapping

Complete mapping of COBIT 2019 findings to COSO 2013 internal control principles

Executive Summary for Board

Board-ready report with maturity scores, gap analysis, risk heat maps, and 12-month roadmap

Business Impact

SOX Readiness

Governance framework established to support SOX compliance journey with clear maturity targets and gap remediation roadmap

Acquisition Integration

IT governance harmonization roadmap for 3 recently acquired entities with standardized process frameworks

Risk Oversight

IT steering committee charter and escalation framework designed for enterprise risk management maturity

Full Project Repository

All assessment artifacts, maturity models, COSO mappings, and the executive report are available in the project repository.


View on GitHub Back to GRC Projects