BIT2318: Topic 3

IT GOVERNANCE

Essential of IT in today’s business

Challenges and concerns are:

Aligning IT strategy with the business strategy  Cascading strategy and goals down into the

enterprise  Providing organizational structures that

facilitate the implementation of strategy and goals 

Insisting that an IT control framework be adopted and implemented 

Measuring IT's performance

IT without Governance

is reactive, unable to plan, acquire or develop the correct skills or understand priorities.

For instance, without a structured process, all projects are number-one priorities. With budgets being flat or minimally increasing, it is difficult to know where to focus.

IT Governance IT governance processes allow IT to understand and manage IT-enabled business

change.

IT governance framework addresses strategic alignment performance measurement risk management value delivery and resource management. 

Effective application of ITG FW - responsibility of the board of directors and executive management.

Integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategies and objectives.

An IT governance framework, such as Control Objectives for Information and related Technology (COBIT) can be a critical element in ensuring proper control and governance over information and the systems that create, store, manipulate and retrieve it.

Best Practice of ITG leads to..

Align IT/IS goals with company’s goals – strategic role of senior management, not tactical

Establish accountability- Individuals be held responsible for their

action (clear process, procedures, job etc)

- Responsibility of employees and builds up to top management.

ITG Structure

How to establish ITG?- Create IT Strategy / Steering Committee: To evaluate IT strategy and process (DAIM) to

ensure it supports organization’s strategies – ALIGNMENT.

- Develop policies and procedures: DAIM of systems or IT-based projects.

- Define job rules- Execute good HR practices- Perform risk assessment and periodic audits:

to ensure management receive sufficiently & timely info about IT performance.

Auditor’s Role in IT Governance

Provide guidance & recommendations to senior management:

Learn the organization – goals & objectives, MS

Review IT Strategic Plan – IT project planning 3-5 years

Analyze Organizational Chart – roles and responsibilities of employees.

Study Job Description – level of responsibility and accountability of one’s actions.

Evaluate existing Policies & Procedures – approved activities of employees.

IT Steering Committee (Fig. 2.2)

Business Management – CEO IT Management – CIO or representative Legal – Legal Executive Finance – CFO for financial guidance Marketing Sales – Senior Manager Quality Control – IT usage meets required standard Research & Development – IT meet needs of new

products Human Resource – IT efforts benefit and fair to

employee

IT Steering Committee

Responsibility: Review major IT projects, budgets and

plans. Formal charter Provides strategic guidance but NOT

involve in daily activities of IT Department.

Organizational Structure Design structure of IT function is

influenced by cultural, political and economic forces.

Example:

VP Foreign Operations

VP Local Operations

R&DSales & Mktg

ManagerHR Manager

Finance & Accounting

IT Manager

VP IT

CEO

IT Organizational StructureIT Function Manager

Computer Security Manager

Computer Operations Manager

SD ManagerUser Services

Manager

-System Analysis

- Computer Programming

-DBA-QC

-Technical Support

-Application Support- User

Training- Help Desk

-Data Input-Info

Processing-Info Output

-Continuity of Operations

-SW Security-Info Security

-Network Security-Physical Security

Internal Control consideration- separation of duties

IT Strategy

IT Strategy must align with Business Strategic Plan. IT Function Objectives include: Create atmosphere that embraces innovation and change. Apply HW and SW technologies to opportunities that promote

prosperity. Incorporate enterprise wide system to facilitate coordination of

business activities. Develop technology-based communications network capable of

linking suppliers, customers and employees.

IT Strategy

IT Objectives set foundation for IT Strategy.

IT Strategy – details HOW IT function will achieve its objectives through organizational structure, relationship with others and IT configurations.

Ex: IT function will use a decentralized form of organization that is adaptable to dynamic nature of company. Consists of CIO, with delegates will strive to cooperate and coordinate with all internal information customer to ensure company’s information system is fully integrated, business processes and IT infrastructure meet ever changing demand…..

IT Function should

Develop Strategic IT Plan. Articulate information architecture. Find optimal fit between IT and company’s

strategy Maximize IT investment Communicate IT policies to user Conduct IT risk assessment Incorporate sound project management

techniques.

The relationship between a policy, standard, guideline, and procedure

Organizational IT Policies, Standards and Procedures

Reflect management’s view of company. POLICY – to cover most aspect of organizational control to meet

legal and business requirements. Who is responsible and what standards must be upheld to meet

minimum CG requirements. Dictate how activities occur in each of the functional areas. Policy Development : Top down vs Bottom up Policies must address:

(i) Regulatory – organization’s standard meet local, state and federal laws.(ii) Advisory – consequences of employees’ behavior and actions eg. Internet use(iii) Informative – to inform employees/customers. Eg. Return policy for internet sales

Security Policy – dictates management’s commitment to the use, operation and security of IS and assets.

Disaster Recovery and Business Continuity Policy

Auditor’s part on Policy

- Look closely at policy to understand how specific process functions.

eg. DCRP policy: HW, SW, backup media, site

- Examine these critical documents, any findings be referenced back to the policy.

- Verify how well policy actually maps to activity.

- Reviewed to ensure policies are current.

Procedures

Step by step instruction, detailed documents tied to specific technologies and devices.

How policy should be carried out. Eg. DCRP More dynamic than policy – to stay relevant

with changes in processes, equipment etc.Auditor’s part?- Review relevant procedures and map to

employee behavior through observation or interview.

- Misalignment? No procedure / not effective / lack of training on procedures.

Standards and Guidelines

Standard – mandatory requirements to be adhere. Eg. E-mails encryption, password length.

Guidelines – statement in policy or procedure to determine a course of action.

- Best practices- Not mandatory

Reviewing Documentation

To verify that documents are being used as the way management has authorized and intended to be used.

Internal – HR document, QA document, Operation Manuals, IT forecast and budgets, Security policy, Organizational chart, Job details.

External – Vendor’s Contract, bidding process

Potential Problems

Excessive costs Budget overruns Late projects / aborted projects Unsupported HW changes Lack /outdated documentation Employees unaware about

documentation

PERFORMANCE MEASUREMENT Activities to ensure organizational goals are met effectively and

efficiently. Mechanism – financial and non financial Balanced Scorecard (Kaplan & Norton, 1996): Customer’s perspective: User’s Satisfaction towards system

reliability, ease of use, IT staff. Internal operations: Operational Performance eg. No. of security

breaches, no. of backlogged request, % of downtime. Innovation and learning: Adaptability and Scalability eg. Ease of

integrating new technology to existing architecture, IT growth. Financial evaluation: profit, market share, ROI, NPV, Transaction

cost pre and post IT project.

Performance Review

Performance review refers to the identification of a target to be monitored, tracked, and assigned to a responsible party, and the resolution of any open issues.

Existing systems require a regular review to determine the ongoing level of compliance to internal controls and the next steps to take.

Capability maturity Model (CMM)

The Capability Maturity Model (CMM) is a method for evaluating and measuring the maturity of processes in organizations.

A rating scale from 0 to 5 is used. A score of zero indicates that nothing is occurring.

Level 1 maturity indicates that the initial activity was successful and may later progress up to level 5, when the activity is statistically controlled for continuous improvement.

The CMM rating scale was developed by the Software Engineering Institute at Carnegie Mellon University and has been widely used for rating business process capabilities.

Level 0

Level 0 = Nothing yet The level of zero is implied in the CMM but may not be noticed. This is important when evaluating process maturity.

Missing processes and controls without evidence will be rated as zero. Many individuals assume that all controls are present when, in fact, some may be missing. A process or control must have occurred in order to reach a level of maturity (1–5).

Level 1

Level 1 = Initial Processes are unique and chaotic. The organization does not have a stable environment. Success is based on individual competencies and heroics. This level often produces products and services that work.

However, output may exceed the available resources or be dependent on specific individuals. At level 1, people have the most freedom and flexibility to make their own decisions.

Level 2

Level 2 = Repeatable Processes are repeatable. The organization uses project management to track projects. The project status is communicated by using milestones with a defined work breakdown structure.

The basic standards, processes, descriptions, and procedures are documented.

Level 3

Level 3 = Defined Processes are well documented and understood. Level 3 is more mature and better defined than level 2. Processes have objectives, measurements, improvement procedures, and standards.

The results in level 3 are predictable by qualitative measure.

Level 4

Level 4 = Managed Management can use precise measurement criteria to control the processes and identify ways to adjust the results.

Processes at level 4 are predictable by quantitative measure.

Level 5

Level 5 = Optimized This is the highest level, with continuous improvement of processes.

Objectives for improvement are defined and continually revised to reflect business needs and objectives. Products at CMM level 5 have been so well defined that they are effectively converted into a commodity.

Level 5 is the ideal maturity for the maximum level of control in outsourcing. It allows the company to switch to using less-skilled people who are told what to do, pay less, and demand unquestionable authority.

People have the least authority with the fewest decisions at level 5.

IT Resource Investment

Funding IT Operations Acquiring IT Resources Staffing IT Function- Hiring- Rewarding- Terminating

RISK MANAGEMENT

Risk Management Team Asset Identification Threat Identification Risk Analysis Method- Quantitative- Qualitative

Key Planning Risk Indicators

Strategic planning not used. IT risks not assessed. Investment analysis not performed. Quality assurance reviews not conducted Plans and goals not communicated IT personnel are disgruntled. Technology infrastructure inadequate. User unhappy with support. Management’s information needs not meet.

Monitoring and Assurance of IT Performance

Management Practices and Controls- Employee Management- Sourcing- Change Management and Quality

Improvement Personnel Roles and Responsibilities- Employees Roles and Duties- Segregation of Duties- Compensating Controls

Monitoring and Assurance of IT Performance

Controlling IT Functions1. Security Controls- Physical Security- Logical Security2. Information Controls- Input Controls- Process Controls- Database Controls- Output Controls

Monitoring and Assurance of IT Performance

3.Continuity Controls- Backup Controls- Data Backup- Hardware Backup- Disaster Recovery Controls

CONCLUSION

Effective management of IT Function is a critical success factor in ensuring economic viability of an organization.

ITG from Top to down Goals of IT/IS Function aligns with organization’s goals. Auditor’s Task:- Review documents, standards and policies to determine how

closely they match employees’ activities.- Review job roles and responsibilities to understand the risks

individual might poses to the company.