IT Governance IT Governance

IT GovernanceA Framework for Performance

and Compliance

IT GovernanceA Framework for Performance

and Compliance

November 18, 2006 November 18, 2006 Tokyo, JapanTokyo, Japan

Ron SaullRon Saull

ITGI Japan Opening Celebration Conference ITGI Japan Opening Celebration Conference

Great-West Life IGM Financial Senior Vice-President and CIO Information Services Organisation

22

Presentation Outline1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions

33

Who am I? MBA, CSP Professional experience: Systems Analyst,

Project Manager, Consultant, IT Director CIO since April, 1996 Member of ISACA / ITGI since 1996 Current ITGI involvement:

– Trustee, ITGI International Board– Chair, ITGI Advisory Panel– Member, ITGI Committee

44

London Life

London London LifeLife

Great-West Lifeco Inc.GreatGreat--West Lifeco Inc.West Lifeco Inc.

Great-West Life CanadaGreatGreat--West West Life CanadaLife Canada

Investors Group Inc.Investors Investors

Group Inc.Group Inc.

IGM FinancialIGM FinancialIGM Financial

Canada Life

Canada Canada LifeLife

Great-West Life

& Annuity

(US)

GreatGreat--West Life West Life

& & Annuity Annuity

(US)(US)

Parjointco N.V.

Parjointco Parjointco N.V.N.V.

Pargesa Holding

S.A.

Pargesa Pargesa Holding Holding

S.A.S.A.

Groupe Bruxelles Lambert

Groupe Groupe Bruxelles Bruxelles LambertLambert

Mackenzie FinancialMackenzie Mackenzie FinancialFinancial

IPC FinancialNetwork Inc.IPC FinancialIPC FinancialNetwork Inc.Network Inc.

I.S. I.S.

OrganisationOrganisation

Power Financial Corporation

Power Financial Power Financial CorporationCorporation

55

Information Services “Scale”

ReginaWinnipegWinnipeg

London

GermanyGermanyIrelandUnited Kingdom

Isle of ManTorontoMontreal

Overall Headcount = 1,4632006 Budget = $324M

I.S. goes international

66

I.S. Shared Services Operating Principles We are a cooperative enterprise vs. an outsourcing

relationship. Our objective is to deliver optimal value to our

clients. We share a commitment to a target state

architecture. All companies share a commitment to maximise

synergies.

77

I.S. Integration PrinciplesOver the course of six company integrations, we have developed a set of basic integration principles which have contributed to our success. That is, to the extent practical, we:

Pursue single system solutions Centralise Standardise Adhere to strict financial disciplines

88

I.S. Integration Results Achieved

GWL/LL/IG Integration (1998-2000)

IG/MFC Integration (2001-2003)

Canada Life Integration (2003-2005)

IPC Integration (2005)

Canada Life Europe Integration(2005-2006)

GWL/LL/CL IG/MFC/IPC Total

Annual Synergies ($M)

78.8 19.7 98.5

- 17.6 17.6

90.0 - 90.0

- 0.8 0.8

4.0 - 4.0

172.8 38.1 210.9

99

I.S. Strategy SummaryCorporate ContributionCorporate Contribution

Ensuring Effective I.S. GovernanceEnsuring Effective I.S. GovernanceAlign I.S. with

Business Objectives Deliver Value Manage Resources Manage RisksAchieve Inter-

Company Synergies

Measuring Up to Business ExpectationsMeasuring Up to Business Expectations

Demonstrate Competitive Costs Deliver Agreed Service Achieve Positive Impact

on Business ProcessesEnable Achievement

of Business Strategies

Service Provider Strategic ContributorCustomerPerspectiveCustomerPerspective

Operational Excellence Business Partnership Technology Leadership

Build Standard, Reliable Technology Platforms

Manage Operational Service Performance

Mature I.S. Internal Processes

Achieve Scale

Economies

Deliver Successful I.S. Projects

Understand Business Unit Strategies

Propose & Validate Enabling Solutions

Develop the Enterprise

Architecture

Understand Emerging

TechnologiesSupport

Technology Users

Plan & Manage I.S. Service

Delivery

Carrying out the Roles of the I.S. Organisation’s MissionCarrying out the Roles of the I.S. Organisation’s MissionInternal I.S. Process Perspective

Internal I.S. Process Perspective

Building the Foundation for Delivery & Continuous Learning & GrowthBuilding the Foundation for Delivery & Continuous Learning & Growth

Attract & Retain People with KeyCompetencies

Focus on Professional Learning

& Development

Build a Climate of Empowerment & Responsibility

Measure/ Reward Individual & Team Performance

CaptureKnowledge to Improve

Performance

Future Orientation Perspective

Future Orientation Perspective

Increasing Credibility and ImpactIncreasing Credibility and Impact

1010

I.S. Structure

Business unit delivery teams designed to meet the needs of the specific company and line

of business strategies

Account ManagementApplication Delivery

Career Centres

Strategic Business Services

SVP & CIO - Information Services

EVP Client & Information Services

Enterprise-wide services are designed to create and leverage

economies of scale and manage IT risk across the companies

Risk Management OfficeI.S. Financial Management

Enterprise-Wide Services

Shared Infrastructure Services

I.S. Risk Management

1111

Presentation Outline

1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions

1212

What Makes IT Governance so important?

In October 2005 Mc Kinsey and the London School of Economics measured the increase in productivity from investments in IT versus investments in management practices in 100 enterprises.

Additional spending in Information Technology can raise productivity….but only in well managed companies!

1313

What Makes IT Governance so important?

• Strategic importance of IT

• Extended Enterprise

• Regulatory requirements

• Cost optimisation

• Return on investment

Drivers

• Low return from high-cost IT investments, and transparency of IT’s performance are two top issues

• More than 30% claim negative return from IT investments targeting efficiency gains

• 40% do not have good alignment between IT plans and business strategy• Interest in and use of active management of the return on IT investments

has doubled in 2 years (28% to 58%)

• Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects• Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful• ITGI 2005 Survey early findings confirm concerns

1414

What makes IT Governance so important?

Shareholders want protection for the Enterprise’s Share Price

“…if not filed, auditor must include a paragraph in its annual report that it cannot vouch for the enterprise’s ability as a going concern…”

“…financial reporting system is not up to speed…”

“…the company has lost a third more of its market value yesterday as it revealed a virtual collapse of its financial reporting system…”

“…data entry problems…”

1515

What is IT Governance?“IT governanceIT governance is the responsibility of the board of directors and executive management. It is an integral part of enterprise governance and consists of the leadership and organisational structures andprocesses that ensure that the organisation’s IT sustains and extends the organisation’s strategies and objectives.”

ITGI, Board Briefing on IT Governance

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT IT GovernanceGovernance

DomainsDomains

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

1. Strategic AlignmentAligning with the business and providing collaborative solutions2. Value DeliveryExecuting the value proposition throughout the delivery cycle3. Resource ManagementOptimising the development and use of available resources4. Risk ManagementSafeguarding assets, disaster recovery and compliance5. Performance MeasurementMonitoring results for corrective action

IT Governance

FocusAreas

1616

IT Governance – The Five Focus AreasStrategic Alignment• Linking business and IT plan

• Defining, maintaining and validating the IT value proposition

• Aligning IT operations with the enterprise operations

• Provide collaborative solutions that

• Add value and competitive positioning to the enterprise’s products and services

• Contain costs while improving administrative efficiency and managerial effectiveness

Best Practices• Integrated approach to business/IT strategy

• Cascading strategy and objectives down into the organisation

• Co-responsibility of business and IT

• Clearer objectives for IT investments

• IT Strategy and IT Steering Committees

In 2003, 49% of respondents had implemented, were considering implementing or were in the process of implementing this phase of IT governance. In 2005, 70%.

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT Governance

FocusAreas

1717

IT Governance – The Five Focus AreasValue Delivery• Executing the value proposition throughout the delivery cycle

• Ensuring that IT delivers the promised benefits against the strategy

• Concentrating on optimising expenses & proving IT’s value

• Controlling projects and operational processes with practices that increase the probability of success (quality, risk, time, budget, cost, etc.)

Best Practices• Formal tracking of business value of IT

• Enabling effective value measurement (ROI, TCO, NOV…)

• Disciplined approach to project management with a larger role for the business

• Commitment to formal methodologies/processes for development and service delivery

• Enterprise architecture planning


Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT Governance

FocusAreas

1818

IT Governance – The Five Focus AreasRisk Management• Requires risk awareness of senior corporate officers, a clear understanding of

the enterprise’s appetite for risk and transparency about the significant risks to the enterprise

• Embeds risk management responsibilities in the operation of the enterprise

• Addresses the safeguard of IT assets, disaster recovery and continuity of operations

Best Practices• Awareness of IT risks based on continuous assessment

• Transparency to all stakeholders

• Establishing responsibility and embedding risk management into the organisation

• An integral part of compliance and assurance

• Use of formal IT risk and control frameworks

• Process management disciplines


Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT Governance

Focus Areas

1919

IT Governance – The Five Focus AreasResource Management• Optimal investment, use and allocation of IT resources and capabilities (people,

applications, infrastructure, data)

• Maximising the efficiency of these assets and optimising their costs

• Optimising knowledge and the IT infrastructure

• Knowing where and how to outsource

Best Practices• Supply/demand balancing

• Practices to train and sustain skilled staff including Career Centres for project assigned staff

• Consumption-based chargeback

• Transparency in expense management and cost allocation

• Formalised vendor management disciplines


Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT Governance

FocusAreas

2020

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignmen

t Value Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT Governance

FocusAreas

IT Governance – The Five Focus AreasPerformance Measurement• Using balanced scorecards that translate strategy into action to achieve goals

measurable beyond conventional accounting

• Measuring relationships and assets necessary to compete: customer focus, process efficiency and the ability to learn and grow

• Tracking project delivery and monitoring IT services

Best Practices• IT Balanced Scorecard as emerging reporting system

• A management reporting system that feeds back into the strategy

• Use of benchmarking for performance comparison

• IT Scorecard approval by the key stakeholders for alignment


CobiT

2222

What is IT Governance?Board Briefing on IT Governance, 2nd

Edition IT Governance: Definitions, facts, approach

• Framework• Definitions• Five Focus Areas: Emphasis on value and risk

Toolkit• Questions to ask• IT Governance Practices• Metrics to consider

Supporting material• IT Strategy committee charter• IT Governance implementation advice• Roles and responsibilities of key players

2323


2424

Organisational SystemsThe focus areas of IT Governance must be embedded within the organisation’s systems.

Culture

Habits and practices

Metrics and Rewards

Structure

Responsibilities and workflows

Internal Economy

Resource governanceprocesses

Methods and Tools

Organisational systems are relatively stable, influence everyone’s performance and can be consciously designed.

Source: N. Dean Meyer

2525

Strategic Alignment

Internal Economy

Business Process Owners, Account Managers, Service Delivery Managers

StructureStrategy Inter-company I.S. Executive Committee, ISEC

Service Level Agreements, I.S. Product and Service Standards

Methods & ToolsI.S. Strategy Map, Balanced Scorecard, CobiT

Contributing Metrics

Ties to management incentives, stock option / purchase plans

Financial Targets Minimum 15% annual growth in shareholder earnings, 18% ROE: Company, Line of Business

I.S. expenses are targeted and capped (zero tolerance) I.S. expenses are fully burdened and recovered by consumption-based chargeback (zero profit) Lines of business have clear ROE targets which include I.S. chargebacks

Metrics & Rewards

Rewards

Sales, Expense Management, Customer Service, Project Delivery, Service Achievement

Culture Empowered hierarchy, command and control management style Rigorous approaches to analysis, planning and risk management (fact-based) Strong preference for measurable, verifiable benefits

Operations Governance Executive/Risk Management Committees, Functional Leadership

Development Line of Business Steering Committees, Account Managers

Strategy

Operations Governance

Development Business Case Disciplines > $500K

Risk / Compliance / Maturity Assessments (CobiT)

Alignment is achieved within the structure of the companies’ annual planning and budgeting process through the transparency of the value/risk versus cost propositions..

2626

Value Delivery

Business process owners, Service Delivery Managers, Service Management Process

Development Business sponsors, I.S. Project Managers, I.S. leadership teams, A.C.T., PMI-based methodology, formal SDLC methodologies

Operations ITIL, CobiT, SAP

Development Bates Project Management, SEI-CMMI, Enterprise Architecture, TeamPlay, SAP

Ties to incentives at next levels of management and practitioners

Development Co-responsibility for results with business (quality, risk, time, cost)

I.S. expense budgets are allocated to lines of business and specific activities, these allocations act as expense caps Allocations are exceeded only by formal change control first considering scope reduction Expense over-runs at the activity level are offset within the lines of business (LOB’s), or failing that, across the LOB’s

Rewards

Accountability to executive committees (incidents, maturity, audits, initiative completions)

Active, hands-on management of emerging results and adjusting actions Business partnership: business says “what”, I.S. says “how” I.S. is a professional services organisation: we charge for our services, strive for repeatable performance

Governance CobiT, SAP, Terms of Engagement

Operations

Governance Risk Management Committee (risk, compliance, audit, I.S.)

Operations

Governance

Co-responsibility for results with business (service, cost, problem management)

Internal Economy

Structure

Methods & Tools

Metrics & Rewards

Culture

Value delivery is ensured on business projects and operations through co-responsibility with business leaders and on governance through direct accountability to the executive committees.

2727

Risk Management

I.S. Risk Management Office with focus on risk assessment, security, privacy, DR, compliance and process / quality management

Executive Executive committee sponsorship, risk committee oversight

Security CobiT, ISO 17799 Risk Management COSO/Methodware: Enterprise Risk Assessor

Tied to incentive based on results, progress and quality of assessments

Progress Measured through initiative completions, maturity assessments and audits

Governance improvements are structured as internal I.S. initiatives and compete for approval along with businessprojects

Scrutiny is also focused on the total expenditures on risk management activities

Rewards

Willingness to accept reasonable level of risk Risks must be explained in detail and target maturity levels justified Risk management viewed as overhead, value proposition is challenging

Disaster Recovery CobiT, IBM maturity framework

Risk Management

Supplier Management Vendor Relations Team focuses on leveraged purchasing and contractual risks

Results Avoidance of major incidents (non-occurrence, response)

Control CobiT, COSO

Internal Economy

Structure

Methods & Tools

Metrics & Rewards

Culture

Risk management is approached by selecting an acceptable risk level based upon the detailed assessments of exposure, probability of occurrence, compliance to legal or regulatory requirements and emerging industry good practice.

2828

Resource Management

Human Resources TimeControl, SEI-PCMMI, Career Centres for project assigned staff Financial SAP, TeamPlay, MICS, Remedy

Managed seat costs, recovery for assets

Financial Expense management, unit cost targets

Assets

Strong belief in internal expense management capability Decided preference for internal sourcing and control Expectation of managers to know / be engaged at a detailed level and be fiscally responsible

Assets

Human Resources Utilisation / “billable” ratios, blended labour rates, benchmark staffing ratios

Applications / Data Inventory, Remedy

Business process owners, Account Managers, Service Delivery ManagersDevelopment Business steering committees, business sponsors, I.S. project managers Operations Governance Risk Management Committee, functional leadership, ISFM, Career Centres, ISHR Organisation

Tied to management incentives at all levelsRewards

Internal Economy

Structure

Methods & Tools

Metrics & Rewards

Culture

I.S. expense budgets are allocated to lines of business and specific activities, these allocations act as expense caps I.S. is accountable to manage within its budget (gatekeeper role) Business leaders cannot spend above their I.S. budget without approval of the president.

Resource management is the most direct and controllable leverage point to ensure the delivery of our financial targets and is the focus of our detailed and active management approach.

2929

Performance Measurement

Metrics Measurable outcomes are required for all management objectives

Measurement investments are reviewed along with other control costs Measurement systems must demonstrate that control information is actionable and costs do not exceed the value

obtained.

Belief: “If you cannot measure it, you cannot manage it” “Show me” culture, insistence on demonstrable results “We deliver on our commitments”

Rewards Rewards and bonuses are only triggered when results are measured

Internal Economy

Structure

Methods & Tools

Metrics & Rewards

Culture

Account Managers, Service Delivery Managers, Service Management Process

Strategy I.S. Executive Committee, ISFM, Process Management function

Operations Governance Risk Management Organisation, Internal Audit, Compliance Officers

Development I.S. Project Managers, I.S. Project Management Office

Strategy

Operations Governance

Development

Operations Management Report by LOB, ITIL

I.S. Balanced Scorecard, CobiT

CobiT

Major Projects Review methodology

Performance measurement is an essential element of the management discipline to drive delivery, validate the effectiveness of business and I.S. strategy and to trigger management rewards based on company performance and individual contributions to its achievement.

3030

Key IT Governance Practices Executive and business level steering committees

Clear roles and responsibilities – business sponsors say “what”, IT says “how” (Terms of Engagement)

Internal economy model – supply/demand balancing, consumption based chargeback

Use of best practice frameworks for process and control

Linkage of measured results to rewards

Strong culture of rigorous analysis, fact-based decision making and active, hands-on management

3131

Process Model Selection

P-CMMI

CobiT

CMMIITIL

Low Moderate High

Holistic

General

Specific

Levels of Abstraction

IS/IT Relevance

TCO

Six Sigma

ISO 9000National Awards (such as Malcolm Baldrige Award)

Scorecards

Source: Gartner Research (June 2003)

CMMI = Capability Maturity Model Integration

CobiT = Control Objectives for Information and Related Technology

ITIL = IT Information Library

TCO = Total Cost of Ownership

3232

CobiTCobiT

Sustaining Management Practices

• Planning & organisation

• Financial Management

• Human resource management

• Performance measurement

Governance Maturity over time

Governance

Maturity

Time

Service Delivery Issues

ITIL

PMI

CMMI/P-CMMI

Development Project Issues

IT Governance matures over time – Where is your roadmap?

Value Enhancement

?VaLITVaLIT

COSO

ISO17799

OtherRisks?

Risk/Compliance

RiskITRiskIT

3333

CobiT Implementation GuideT

wo

com

plim

enta

rype

rspe

ctiv

es

Good things to Good things to happenhappen

Bad things not Bad things not happeninghappening

Resolve Resolve problemsproblems

Continuous Continuous improvementimprovement

Create valueCreate value Preserve valuePreserve value

What?What?

Value delivery focusValue delivery focus

IT alignment focusIT alignment focus

riskriskmanagement focusmanagement focus

Define strategyDefine strategy

Measure resultsMeasure results

performanceperformancemanagement focusmanagement focus

performanceperformancemanagement focusmanagement focus

Good things to Good things to happenhappen

Bad things not Bad things not happeninghappening

Resolve Resolve problemsproblems

Continuous Continuous improvementimprovement

Create valueCreate value Preserve valuePreserve value

What? IT alignment focus

Riskmanagement focus

Define strategyDefine strategy

Measure resultsMeasure results

Performancemanagement focus

Performancemanagement focus

Value delivery focus

How?

3434

General Approach to Governance Implementation

1. Identify priority issue(s) (governance or business drivers)2. Map to IT goals, process and affected resources3. Assign to Process Owner4. Resolve issue and adjust process/resources5. Use responsibility matrix to determine job impacts6. Change job descriptions/expectations7. Change measurement/monitoring systems8. Incorporate into performance appraisals/reward processes

3535


3636

The Cost of SOX

3737

Internal Internal

ControlControl

COSOCOSO

CobiTCobiT

Internal Internal

ControlControl

COSOCOSO

CobiTCobiT

IT, SOX and CobiTIT, SOX and CobiT

3838

IT, SOX and CobiTFinancial AssertionsProvide little input

• Completeness• Accuracy• Validity• Authorisation• SegregationPCAOB

Provides only high level guidance on IT

• Program development• Program changes• Computer operations• Access to programs and

data

COSONeeds more substance on IT

• Control environment• Information and

communication• Risk assessment• Control activities• Monitoring

COBITAccepted standard for control over IT

• Limited to effect on financial reporting, i.e. excluding operational and efficiency issues

• To be used as a reference, customised based on enterprise needs

• Split into control activities and control environment

3939

Organisation ControlsOrganisation Controls

Bus

ines

s Pr

oces

sLo

gist

ics

Bus

ines

s Pr

oces

sFi

nanc

e

Executive ManagementB

usin

ess

Proc

ess

Man

ufac

turin

g

Bus

ines

s Pr

oces

sE

tc.

IT ServicesOS/Data/Telecom/Continuity/Networks

Controls include: Strategies and plans Policies and procedures Risk assessment activities Training and education Quality assurance Internal audit

Control objectives/assertions include: Completeness Accuracy Existence/authorisation Presentation/disclosure

IT General ControlsControls embedded within IT Processes that provide a reliable operating environment and support the effective operation of application controls.

Controls include: Program development Program changes Access to programs and data Computer operations

Entity-level ControlsEntity-level Controls set the tone and culture of the organisation. IT entity-level controls are part of a company’s overall environment.

Application ControlsControls embedded within business process applications directly support financial control objectives. Such controls can be found in most financial applications including large systems such as SAP and Oracle as well as smaller OTS systems such as ACCPAC.

4040

C/SOX Roadmap

Sarbanes-Oxley Compliance

1. Plan and Scope IT Controls

• Review overall project documentation and identify application controls.

• Identify in-scope applications.

• Identify in-scope infrastructure and databases.

2. Assess IT Risk

• Assess the likelihood and impact of IT systems causing financial statement error or fraud.

4. Evaluate Control Design and Operating Effectiveness

• Determine that all key controls are documented.

• Test controls to confirm their operating effectiveness.

6. Build Sustainability

• Consider automating controls to improve their reliability and reduce testing effort.

• Rationalise to eliminate redundant and duplicate controls.

3. Document Controls• Document application

controls (automated or configured controls and hybrid controls).

• Document IT general controls (access, program development and change, and computer operations).

5. Prioritise and Remediate Deficiencies

• Evaluate deficiencies by assessing their impact and likelihood of causing financial statement error or fraud.

• Consider whether compensating controls exist and can be relied upon.

4141


4242

C/SOX – An Enterprise Approach

Fina

ncia

l Rep

ortin

gU

nder

writ

ing

Dis

burs

emen

ts

Trea

sury

Oth

erCOSO

Level 1Automated Application Controls

• Data validation, edit checks & output reconciliations

• Interface Controls• End User Security

Level 0Entity Controls

• Tone from the Top

InfrastructureGeneral Computer Controls

General Application Controls

Level 2

General Computer Controls• Change & Configuration

management• Network Administration• Security Administration• Data center operations• Database Administration• O/S Administration

Level 3

Cobi

T

I.S. Project:

General Application Controls• System development• Change control• Data Recovery• Database management• Programmer security

Corporate Projects (GWL & IGM):Level 0I.S. Entity Controls

• Support Tone from the Top

4343

IT Entity Controls (Level 0)

●●Provide IT governanceME4●●●Ensure regulatory complianceME3●●Monitor and evaluate internal controlME2●●●Monitor and evaluate IT performanceME1

DS7PO9PO8PO7PO6PO4PO1

Process ID

●●Educate and train users●Assess and manage IT risks

●●●●Manage quality●●Manage IT human resources●●Communicate management aims and directions

●●●Define the IT processes, organisation and relationships ●●●Define IT Strategic Planning

Monitoring

Information and

Com

munication

Control

Activities

Risk

Assessm

ent

Program

Developm

entCobiT IT Process

COSO Component

4444

IT General Controls (Level 2 & 3)

●Manage incidentsDS8

●●Manage operationsDS13 ●●Manage dataDS11

●Manage problemsDS10

●●Manage the configurationDS9

●●Ensure systems securityDS5DS2DS1AI7AI6AI4AI3AI2

Process ID

●●●●Manage 3rd party services●●●●Define and manage service levels●●●●Install and accredit solutions and changes●●Manage changes●●●●Enable operation and use

●●●Acquire and maintain technology infrastructure●●●●Acquire and maintain application software

Access to

Programs and

Data

Com

puter O

perations

Program

Changes

Control

EnvironmentCobiT IT Process

PCAOB Control Headings

4545


4646

Issues in Application Controls

The need for risk management is not appreciated– Demonstrate the value received for the investment in controls– Conduct regular communication and change management

Business slow to recognise responsibility for Application Controls– Ensure Application Control and IT General Control teams coordinate – Acknowledge shared responsibility for sign-off

Many older application do not have the required controls– If risk is high, identify compensating controls– If risk is low, waive the requirement on a case-by-case basis

4747

Issues in Application Controls

Difficult to determine an ‘appropriate and measured response’– Identify critical business processes based on risk and materiality – Limit work to high priority processes

There is a general lack of internal control expertise– Define and implement standardised monitoring processes– Minimise the risk of re-work – Do it right the first time!

No definitive guidance from consultants or government– Use common sense based on experience– Be able to justify the decisions made

4848

Need More Information? – Visit…

www.ITgovernance.org

www.ITgovernance.org

4949

Presentation Outline

1. Introduction2. IT Governance Framework3. IT Governance Implementation4. Control Framework for SOX5. Using CobiT for C/SOX6. Issues in Application Controls7. Questions

November 18, 2006 November 18, 2006 Tokyo, JapanTokyo, Japan

Great-West Life IGM Financial Senior Vice-President and CIO Information Services Organisation

ITGI Japan Opening Celebration Conference ITGI Japan Opening Celebration Conference

Ron SaullRon SaullGreat-West Life/London Life/Investors Group

60 Osborne Street North, Winnipeg, Manitoba R3C 3A5 Canada

[email protected]

IT Governance IT Governance

Documents

Transcript of IT Governance IT Governance