Controls are defined as those guidelines, procedures, practices and organizational structures which have been developed in order to ensure sufficient security so that the corporate objectives are achieved and undesirable events avoided or identified and corrected. An IT control objective is a statement on the required outcome or the intended purpose which is to be achieved with the implementation of control procedures integrated within certain activities. The COBIT control objectives are minimum requirements for the effective control of any IT process.
The operational management uses processes in order to organize and manage the current IT activities. COBIT provides a generic process model which contains all the processes normally to be found in IT functions and, as such, provides a general reference model which can be understood by the operational IT management and company management.

In order to achieve effective governance controls which are integrated into a control framework defined for all IT processes, controls must be implemented by the operational management. Since the COBIT IT control objectives are categorized according to IT processes, this framework represents a clear link between the requirements of the IT governance, IT processes and IT controls.

Every COBIT IT process contains a superordinate control objective as well as several detailed control objectives. Together these represent the characteristics of processes which are appropriately managed.

In addition to the acceptance of the necessary controls, process owners must understand which inputs are needed from other process owners as well as which outputs these require. COBIT contains generic examples of the key inputs and outputs for each process, including the external requirements. Some outputs are inputs in all other processes and this can be seen by ‘ALL’ in the output table. However, these outputs, such as targets for quality standards and metrics requirements, the IT process framework, documented roles and responsibilities, the company-wide IT control framework, IT guidelines or personal roles and responsibilities are not listed in all processes as their own input.

Understanding the roles and responsibilities of all processes is key to effective control. COBIT contains RACI charts for all processes. These are diagrams which show who is responsible, accountable, consulted and informed. Being accountable means having final responsibility. In other words, this is the person who issues standards or approves activities. Those who have responsibility are to be understood as those who perform the activity. The other two roles ensure that all the necessary participants are integrated and that they support the process.