It governance

IT GOVERNANCELUSUNGU MKANDAWIRE

MARCH 11, 2015

IIAM IT AUDIT

ESSENTIALS

WORKSHOP

AGENDA

What is IT Governance

Elements of IT Governance

Benefits of IT Governance

Frameworks for IT Governance

Auditing IT Governance

Role of Internal Audit

OBJECTIVES

Provide an overview of IT Governance and

describe its importance

Describe one approach to auditing IT Governance,

including key scope areas, involved

parties/stakeholders, key questions to answer

Describe current trends in IT Governance and how

they can be incorporated into IT Governance audits

WHAT IS IT GOVERNANCE

IIA Definition :Consists of the leadership,

organizational structures and processes that

ensure that the enterprise’s information technology

supports the organization’s strategies and

objectives.

Mechanisms and structures used to clarify

oversight, accountability, and decision making

frameworks for IT strategy, resources, and control

activities

Provides for effective management of IT operations

and IT projects to ensure alignment with the

institution’s strategic plan

ELEMENTS OF IT GOVERNANCE

According to ITGI, there are 5 areas of focus:

Strategic alignment

Value delivery

Resource management

Risk management

Performance measurement

IT Strategic Alignment, such as formalized business objectives, up to date IT strategy, linkage between business objectives and IT initiatives;

Value Delivery: IT tactical plans, clear benefits for each level of the organization: infra-structure (systems uptime), applications (degree of automation), operational (productivity), financial (income);

Risk Management: defined responsibilities for risk management, risk analysis methodology, defined strategies for addressing risks, continuous monitoring of threats, occurrence and impact;

Resource Management: sourcing strategies, human management practices, user manuals, segregation of duties, time reporting, infra-structure life cycle management, acceptable usage policies.

Performance Measurement: relevant and measurable metrics, continuous monitoring and reporting, follow-up policies, root cause analysis and problem management, benchmarking against industry practices and proven standards or frameworks.

ELEMENTS OF IT GOVERNANCE

BENEFITS OF IT GOVERNANCE

Strengthens the relationship between the

organization and IT; Helps ensure limited IT

resources are focused on the right strategic and

tactical activities at the right time

Synergies with Enterprise Risk Management (ERM)

and other risk management activities; Helps ensure

the appropriate IT risk management processes and

activities are in place and operating effectively

BENEFITS OF IT GOVERNANCE

Enhanced visibility into the IT Function’s ability to

achieve its both tactical and strategic objectives;

Key Performance Indicators (KPIs) for day-to-day

activities and longer-term/strategic initiatives

Improved adaptability of the IT Function to

organizational and IT environment changes;

Formality of Governance structure, processes and

activities enables more efficient and effective

response to change

Capability Maturity Modeling Integration (CMMI)- For Process Improvement

Information Technology Infrastructure Library (ITIL)- For IT Service Management.

Six Sigma- For Process Improvement especially security processes.

Control Objectives for Information and Related Technology (COBIT) - For information technology (IT) management and IT governance

The Balanced Scorecard (BSC) -method to assess an organization’s performance in different areas.

FRAMEWORKS FOR IT GOVERNANCE

IIA STANDARDS

IIA Standard 2110: “The internal audit activity

must assess and make appropriate

recommendations for improving the

governance process”

IIA 2110.A2: “The internal audit activity must

assess whether the [IT] governance of the

organization supports the organization’s

strategies and objectives”

Impacts downstream IT and business

processes and controls by setting a

foundation

AUDITING IT GOVERNANCE

How do we get started?

Scoping

Stakeholder involvement

Areas of focus

Tactical steps

Our Example will be the higher education

institutions


What should my scope be?

Scoping is always a challenge in higher

education institutions, IT Governance is no

exception

Ideally, even in a decentralized

environment, the IT Governance framework

applies across campuses, schools, and

departments/units/divisions

Realistically, where can we get started


What should my scope be?

Department/unit/division level

School level

Campus level

Institution-wide level –Ideal

scope!

Smaller and less

complex

Larger and

more complex


Who are the stakeholders involved? Depends on your scoping, but we will look at it from the

institution-wide view

Potential Stakeholders: Board

President/Chancellor

Provost Deans

Chief Business/Financial Officer Administrative department heads

Chief Information Officer

Information Security/Privacy Officer(s)

Chief Compliance/Risk Officer(s)

Research/Principal Investigators

Students


What are my areas of focus?

Institutional Governance Structures

Executive Leadership and Support

Strategic and Operational Planning

IT Organization(s) and Risk Management

Service Delivery and Management


Institutional Governance Structures


Executive Leadership and Support


Strategic and Operational Planning


IT Organization(s) and Risk Management


Service Delivery and Management


IT Governance Trends

Cost Efficiencies (Outsourcing / The Cloud)

Information Privacy and Security

Virtualization

Centralization vs. Decentralization

ROLE OF INTERNAL AUDIT

Minimum assurance provided by compliance audit with Standard 2110.A2: Depending on the maturity of the IT Function, governance program, the control environment and the results of the most recent risk assessment, IT Governance audits could be performed on an annual basis or up to two to three years apart.

Consulting; Would likely be the result of findings from compliance review related to Standard 2110.A2.

Remediation assistance

Post audit Follow-up review

Training

Facilitated workshop on IT Governance best practices

ROLE OF INTERNAL AUDIT

Compliance and Consulting; Audit team should

have extensive experience in IT and operational

audit

Important to understand there is no one-size-fits-all

IT Governance model

Process of moving from an ineffective IT

Governance model to an effective, optimal model

takes time, there are generally little to no quick fixes

Full support from the Board and Senior

Management is critical for an organization to have

an effective IT Governance model

SUMMARY

Mandatory nature of the Standards and in particular

2110.A2

IT Governance audits and relationship to external

QARs

Regardless of IIA Standards, performing IT

Governance reviews on a periodic basis are vitally

important due to the tremendous amount of dollars

spent by the IT Function and on technology

Thank You! Lusungu Mkandawire

[email protected]

265999989153www.linkedin.com/pub/lusungu-mkandawire/57/102/283

https://twitter.com/MLusungu

It governance

Technology

Transcript of It governance