This is probably old news for many of you, but historically there has been an interesting set of relationships between COBIT, ITIL, and a myriad of other standards and regulations. In the height of the Sarbanes-Oxley Act (SOX) fallout, some HP service desk colleagues and I collaborated with HP Audit and HP IT on a compliance reporting concept. The idea was that by demonstrating effective controls (largely through a set of service desk and related operations metric reports), we (HP) could persuade our external auditor to put fewer IT auditors on the bus that was sent out to evaluate us. The IT audit bus was just a phrase - to the best of my knowledge anyhow. As an aside, the output may have been on older reporting platform, but the information managed was surprisingly similar to what we now present via our HP Executive Scorecard VP of Ops persona.


In this mid 2000’s COBIT 4 timeframe, there were a number of papers and presentations on the relationship between ITIL, COBIT, and ISO 17799 (security). There would be reasonable paths woven between a regulation like Sarbanes-Oxley, to COSO, to COBIT, and then to ITIL and ISO 20000. In those days, I would travel with a popular, lightweight COBIT 4 book that was full of Key Performance Indicators, Process Key Goal Indicators, and IT Key Goal Indicators. If you compared the COBIT 4 guidance with ITIL guidance and a few other sources you could come up with a reasonable (but potentially broad) set of KPIs to consider, and you can still find a lot of this material out on the internet.


Leaving those golden years behind and coming back to the future, COBIT 5 ( clearly supports an enterprise level balanced scorecard approach. Interestingly, this is the same foundation HP uses in our IT Performance Suite strategy supported by the HP Executive Scorecard. To COBIT 5’s credit, there appears to be fewer KPIs to choose from. But, that is the essence of a KPI. In an analyst conversation a few weeks, the comment was made to the effect “isn’t 150 KPIs an oxymoron”. Further while I haven’t dug through COBIT 5 like I had version 4, a more corporate governance approach incorporating value and risk is also clear.


So what is the point of all of this?

  1. If you’re looking for a rich set of IT metrics to consider tracking along with related goals, download a COBIT 4 document. No wonder SOX audits were so expensive and considered so onerous. But, this is still a great reference if you're evaluating KPIs.
  2. If you’re looking for a more balanced scorecard approach and looking for operational guidance, there are a smaller set of KPIs to be found in the COBIT 5 materials. Or, you could stay tuned to Myles’ postings to see what he writes next.

And again if you haven’t done so already, please help us with our service desk KPI survey.



Chuck Darst


P.S. COSO - - The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a joint initiative of private sector organizations and is dedicated to providing thought leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence.


Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author
HP IT Service Management Product Marketing team manager. I am also responsible for our end-to-end Change, Configuration, and Release Managem...

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.