IT Governance & The COBIT 5.0 Framework

McGladrey Brought to you by:

Introduction

Ryan C. Hay, CISA, CISSP, ITIL - My Background - Current role - My views on IT governance & COBIT 5.0 - Expectations from this presentation

About McGladrey

McGladrey is the fifth largest U.S. provider of consulting, assurance and tax services, with nearly 6,700 professionals and associates in more than 75 cities nationwide. McGladrey is a licensed certified public accountant (CPA) firm, and is a member of RSM International, the sixth largest global network of independent consulting, accounting, and tax firms. As a full-service firm, McGladrey offers the scale, industry insight, thought leadership and multidisciplinary range of services clients require. http://mcgladrey.com/

Our Agenda

The Purpose Behind Governance Using Frameworks & Methodologies COBIT 5 Overview Overview of McGladrey COBIT 5.0 Assessment

The Purpose of Governance

The Role of Governance

http://www.youtube.com/watch?v=IGQmdoK_ZfY How appropriate ….

The Role of Governance

The purpose of this video is to show that we all get stuck in our day-to-day lives, and there needs to be a system in place that can detect the “gorilla”. This is commonly referred to as governance. Lets see it again http://www.youtube.com/watch?v=IGQmdoK_ZfY

The Role of Governance

The Value of Governance • Ability to look at things holistically, see the bigger picture • Helps ensure that the process is followed • Removes barriers from getting activities accomplished • Can aide in making the tough decisions • Ensure compliance with standards and regulations • Increases visibility and awareness to a project

Using Frameworks & Methodologies

Pop Quiz

Does this framework look familiar to anyone?

Anyone, Anyone ….

Framework Architecture

The bottom indicates a “Foundation” layer – qualities/capabilities that are key to the framework and its success.

The middle sections refer to internal actions/activities/behaviors that build upon the foundation for delivery.

The top layer typically refers to what is delivered from the framework to external groups.

That’s correct: This is the IIA Audit Competency Framework

Other Popular Frameworks

Management

Operations

Standards

Governance

SDLC

Governance frameworks typically focus on holistic oversight across an organization or group.

Standards frameworks typically provide specific items that must be in place to maintain a level of compliance.

Management frameworks typically focus on how to manage specific activities across a lifecycle for delivering a capability/product.

Operational frameworks focus more on providing guidance on how to get things done on a day-to-day basis.

This isn’t black and white, many of these start to bleed over into other layers as each organization tries to enhance their scope to cover just about everything.

COBIT 5 Framework Overview

Principles of COBIT

Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.

The COBIT 5 framework seeks to instill a number of core principles within the organization to enable success. Lets review each …

What guides each of these principles?

COBIT 5 Overview So

urce: C

OB

IT® 5

, figu

re 15

– CO

BIT 5

Go

verna

nce a

nd

Ma

na

gem

ent Key A

reas. ©

20

12

ISAC

A® A

ll rights reserved

.

Taking a deeper dive …

COBIT Reference Model COBIT has 37 different domains that each focus on how to run/manage capabilities across IT

COBIT Domains • Evaluate, Direct, and Monitor (EDM): These governance processes deal with the stakeholder

governance objectives (value delivery, risk optimization, and resource optimization) and include practices and activities aimed at evaluating strategic options, providing direction to IT and monitoring the outcome.

• Align, Plan, and Organize (APO): Provides direction to solution delivery (BAI) and service delivery and support (DSS). This domain covers strategy and tactics, and concerns identifying the best way IT can contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization, as well as technological infrastructure, should be put in place.

• Build, Acquire, and Implement (BAI): Provides the solutions and passes them on to be turned into services. To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. Changes in and maintenance of existing systems are also covered by this domain, to ensure that the solutions continue to meet business objectives.

• Deliver, Service, and Support (DSS): Receives the solutions and makes them usable for end users. This domain is concerned with the actual delivery and support of required services, which include service delivery, management of security and continuity, service support for users, and management of data and operational facilities.

• Monitor, Evaluate, and Assess (MEA): Monitors all processes to ensure that the direction provided is followed. All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance.

Evaluating COBIT 5

General Benefits of COBIT 5: • Most holistic framework for

managing IT (or any other function for that matter)

• Borrows from many other leading-practice frameworks (PMI, ITIL, COSO…)

• Provides a wealth of knowledge and documentation for improving capabilities and processes.

Potential Risks of COBIT 5: • Is it too much? • Has a few gaps, for instance – how to

manage data/information. • Does it detract focus from core

capabilities of IT?

Applying COBIT to IIA The COBIT Framework can provide the internal audit function with key tools to making life easier.

• Provides holistic guidance for how to manage IT • Brings consistency to how daily work and projects are managed and

delivered • Helps identify exceptions to standard process, and address accordingly • Provides visibility to less-mature capabilities, so mitigating controls can be

put into place

McGladrey COBIT 5 Assessment

COBIT Domain Maturity

5

4

3

2

1

0

Predictable

Established

Managed

Performed

Incomplete The process is not implemented or fails to achieve its process purpose. At this level, there is little or no evidence of any systematic achievement of the process purpose.

The implemented process achieves its process purpose.

The previously described performed process is now implemented in a managed fashion (planned, monitored, and adjusted) and its work products are appropriately established, controlled and maintained.

The process is implemented using a defined process that is capable of achieving its process outcomes.

The process operates within defined limits to achieve its process outcomes.

Optimizing The process is continuously improved to meet relevant current and projected business goals.

COBIT Assessment McGladrey can help your organization quickly assess the IT organization across the COBIT framework to provide a holistic view on identifying and improving the capabilities of IT.

COBIT Assessment Our experts can help provide specific detail to the scores, findings and recommendations across each COBIT domain – giving your organization a detailed roadmap for improving capabilities.

Questions

ryan.hay@mcgladrey.com