Strategies for an IT Governance Audit Rocky Mountain Information
34 Slides350.74 KB
Strategies for an IT Governance Audit Rocky Mountain Information Security Conference – May 2012 Presented by: Chad Stowe, Experis SME Professional
Introduction: Chad Stowe, CISA Experis Finance, SME Professional. 17 years audit experience. (15 as a CISA) Former VP of IT Audit at a large multi-billion dollar financial institution. MBA Honors Graduate from Regis University.
IT Governance Learning Objectives Understand a successful methodology, structure, and approach for IT Governance. Understand example successful methods for analyzing IT Governance. Understand critical success factors in performing an IT Governance review in your organization.
Insert clip.
IT Governance Methodology
What is IT Governance? Is a subset of Corporate Governance. Defines how IT resources are managed on behalf of stakeholders. Helps to assure stakeholders that investments in IT generated business value. Monitors and mitigates IT risks related to achieving a desired business value. Assigns accountability within the IT organization. Guided by the culture of the organization.
IT Governance (cont.): IT governance processes should align with the entire organization. Focused on the risks and values of governance processes.
IT Governance is NOT Guided by regulatory compliance requirements. Defined by SOX controls. A checklist activity.
IT Governance Structure is focused on:
Mapping back to COBIT ME4 - Provide IT Governance 1. Establishment of an IT Governance Framework 2 2. Strategic Alignment 3 3. Value Delivery 4. Resource Management 6 1 5. Risk Management 4 6. Performance Measurement 5 SOURCE: Information Systems Audit and Control Association - COBIT v4.1 www.isaca.org
IT Governance Framework and Strategic Value Drivers 1 - Establishment of an IT Governance Framework Value Drivers: IT decisions in line with the business’s strategies and objectives. A consistent approach for a governance framework achieved and aligned with the business approach. Processes overseen effectively and transparently Compliance with legal and regulatory requirements confirmed. Stakeholder requirements for governance likely to be met. 2 - Strategic Alignment Value Drivers: IT more responsive to the business’s objectives. IT resources helping to facilitate the business goals in an efficient and effective manner. IT capabilities enabling opportunities for the business strategy. Efficient allocation and management of IT investments. SOURCE: Information Systems Audit and Control Association - COBIT v4.1 2 1
Value Delivery and Resource Management Value Drivers 3 - Value Delivery Value Drivers: Cost-efficient delivery of solutions and services. Optimized use of IT resources. Business needs supported efficiently. Increasing support for use of IT by business stakeholders. Increased value contribution of IT to business objectives. Reliable and accurate picture of costs and likely benefits. 4 - Resource Management Value Drivers: Efficient and effective prioritization and utilization of IT resources. IT costs optimized. Increased likelihood of benefit realization. IT planning supported and optimized. Readiness for future change. SOURCE: Information Systems Audit and Control Association - COBIT v4.1 3 4
Risk Management and Monitoring Value Drivers 5 - Risk Management Value Drivers: Risks identified before they materialize. Increased awareness of risk exposures. Clear accountability and responsibility for managing critical risks. Effective approach for managing IT risks. IT risk profile aligned with management’s expectations. Minimized potential for compliance failures. 6 – Performance Measurement Value Drivers: Increased process performance. Areas of improvement identified. IT objectives and strategies being and remaining in line with the business’s strategy. Processes overseen effectively and transparently. Timely and effective management reporting enabled. SOURCE: Information Systems Audit and Control Association - COBIT v4.1 6 5
Example IT Governance Alignment Matrix Source: COBIT 5 Draft
IT Governance Assessment
Research and Benchmarking prior to Assessment Obtain sponsorship and agreement with executive management prior to performing any assessment. Set clear expectations and scope for the assessment Identify both Business and IT personnel at the executive and lower level manager level to interview during the assessment. Set a defined interview schedule. Know your interviewees and their responsibly within in the organization. Consider pre-interview surveys. Develop standardized assessment questions for each objective.
Research and Benchmarking prior to Assessment Customize standard assessment questions to the interviewee while retaining the point of the question. Research potential answers to questions by interviewees prior to the interview. Understand the current business value drivers. Benchmark projects and systems to spent by IT in relation to its’ strategic relevance. Understand how IT and the business benchmark themselves internally and in relation to their industry. Research emerging trends and ITGI Global Status Report. (www.isaca.org/ITGI-Global-Survey-Results )
Strategic Alignment Objectives Objective IT utilizes a collaborative approach with the business to develop an IT strategic plan with a shared focus on IT investments. Risk The business strategic plan does not exist or is not clearly defined to enable the development of an IT strategic plan. The IT strategic plan does not exist or is not aligned with the business strategy. CIO and key stakeholders, including The IT strategic plan is not clearly Board of Directors, are fully informed communicated to key stakeholders. of IT objectives and strategies.
Tactical Alignment Objectives Objective IT activities are optimized towards execution of the IT strategic plan. Risk a) The IT strategic plan is not defined clearly to enable tactical plans. b) The IT process framework does not support the execution of the IT strategic plan. c) Vehicles are not in place to support IT governance activities. IT has been allocated d) The tactical plan does not identify which projects the resources to enable realizing IT strategy and business goals. execute the strategic e) The tactical plan does not identify which projects plan. enable realizing IT strategy and business goals. f) Technology policies have not been established and implemented to support key governance activities. g) The IT strategic and tactical plans do not include day to day activities (e.g. implementation and maintenance of infrastructure and application portfolio to meet established business requirements and technological direction). h) The IT strategic and tactical plans do not include mergers and acquisitions. i) The IT strategic and tactical plans do not include emerging technologies and innovation.
Risk Management Objectives Objective Risk IT risk framework is in alignment with a) Risk is not clearly identified and understood by the company's overall risk the key stakeholders. management processes. b) An IT risk framework does not align with the IT policies and the company's risk and control framework. Significant IT project risks (obstacles to achieving objectives and strategies) are identified, addressed in a timely manner, and optimally managed. c) Risk management is not incorporated in strategic planning, performance management, project management and day-to-day decision making. d) IT risks that require responses are not identified, managed or monitored timely. e) Risks related to IT processes and activities are not assessed in relation to their ability to impact the achievement of business objectives. CIO and key stakeholders, including f) Management and the board are not informed Board of Directors, are fully informed timely of significant risks. on IT risks.
Performance Metrics Objectives Objective Risk Performance metrics focus on the most a) The business does not evaluate ROI's important measures relevant to the overall on IT initiatives. business strategy. b) Lack of strategic focused performance measures that assess the success of IT delivered value (e.g. SLAs are defined and agreed upon with the business). The Board receives timely information and c) Performance measures are not communication on IT to carry out their monitored and reported to management. oversight duties. Initiatives and assets that do not create value are identified and eliminated. IT detects and corrects deviations from, or weaknesses in execution of the IT strategic plan. d) Remedial actions are not initiated based on performance indicators.
Summarizing the Results Baseline interview results to a risk level immediately after the interview. Continually revisit predefined baseline and rating criteria when summarizing and rating interview results. Track and review interview document requests when performing final assessment. Risk Definition Level High Processes and controls are not documented, communicated, understood, or measured. Mediu Processes and controls are m identified or documented, but may not be communicated, well understood, or measured. Low Processes and controls are well documented, communicated, understood, and measured.
Summarizing Results Example Summary Heat Map Objective Area Objective Related Risk 1. Strategic IT utilizes a The business strategic Alignment collaborative plan does not exist or Strategy approach with the is not clearly defined business to develop to enable the an IT strategic plan development of an IT with a shared focus on strategic plan. IT investments. The IT strategic plan does not exist or is not aligned with the business strategy. CIO and key The IT strategic plan is stakeholders, not clearly including Board of communicated to key Directors, are fully stakeholders. informed of IT objectives and strategies. Residual Risk Score Busines Busines Busines s Scope s Scope s Scope Residual Area 1 Area 2 Area 3 Risk Score 1-Low 2Medium 3-High 2.0 1-Low 3-High 2Medium 2.0 1-Low 3-High 2Medium 2.0 1.0 2.7 2.3 2-Medium
Interview Documentation Worksheet Risk Ques Audit tion Area Y/N Questions Open Ended (H, M, L) 1B 1 S 1C 2 S How well do you feel the linkage between the business's and IT's strategic goals / objectives is communicated? High- The linkage is clearly, consistently and formally communicated to all key stakeholders Medium- The linkage is occasionally communicated informally to some, but not all, key stakeholders Low- The linkage is rarely communicated to very few key stakeholders, if any 1B 3 4 S S What is IT governance in your mind? What process do you use to define/work with the IT Strategy? (Ask if supporting info is available to show what vehicle is used to align with IT strategy). 1B/1C 5 S 1B/1C 5 1B 6 S S 1B 1A 6 7 S S 1A 7 S 1B 8 S 1B 8 S 1A/1B 9 S Interview Notes Scope Area Result (Y/N or H/M/L) Audit Notes (Ties to Interview Results tab) Overall Auditor Summary (H, M, L and Overall Assessment) Do you feel there is alignment between the business's strategic goals / objectives and IT's strategic goals / objectives? Do you know the IT strategic objectives? If yes, please explain the strategic objectives. Are you a part of approving IT strategic objectives? If yes, please explain the approval process. Have you defined and communicated your business strategic objectives to IT? If yes, please explain the process. (Ask for supporting documentation) Are your business strategic objectives aligned with the IT strategic objectives? If yes, please explain the process. (Ask if there is supporting documentation for alignment) How do you organize your department with IT to realize technical solutions that meet business objectives? (Ask if supporting info is available, and obtain examples like org chart) Strategic Alignment: (High, Medium, Low) Supporting Documentation Reference
Interview Analysis Worksheet Business Scope Area 1 Question Description (Green Preliminary Question # Survey) Do you feel there is alignment between the Q1 Flag business's strategic goals / objectives and (N 1;Y 0) IT's strategic goals / objectives? Q1 Notes How well do you feel the linkage between the Q2 Flag business's and IT's strategic goals / (H 1;M 2;L objectives is communicated? 3) High- The linkage is clearly, consistently and Q2 Notes formally communicated to all key stakeholders Medium- The linkage is occasionally communicated informally to some, but not all, key stakeholders Low- The linkage is rarely communicated to very few key stakeholders, if any What is IT governance in your mind? Q3 Flag (H 1;M 2;L 3) Q3 Notes What process do you use to define/work with Q4 Flag the IT Strategy? (Ask if supporting info is (H 1;M 2;L available to show what vehicle is used to 3) align with IT strategy). Q4 Notes Do you know the IT strategic objectives? Q5 Flag (N 1;Y 0) Q5 Notes Risk Area Exec 1 ID 1B 1C Ove rall 1B 1B 1C Director 1 Director 2 Summary of Results
Highest Level Interview Summary Business Scope Area 1 Question Description (Green Preliminary Survey) Strategic Alignment Area Executive 1 Director 1 Director 2 Medium Summary of Results Low Low Low Strong partnership between IT and business. Roles and responsibilities defined. IT is at the table when discussing business strategy. Business and IT sit on the Using a managed Good partnering between IT and Leadership Team as one. service for the business in understanding Business analyst sit in the transaction projects, prioritization, and overall business and only focuses monitoring; IT needs as both the IT Directors on business area’s related however, Director and Executive and Directors were projects and providing 2 meets with IT rated high. Personnel with low requirements to IT, thus, Director to rating results are Managers whose enabling IT execute validate needs systems are provided through against specific, clear are being met. software obtained through a business area’s Managed Service provider and is requirements that are not directly supported by IT. Much aligned with the business of the communication is through a area’s objectives. close partnership. Is helpful that IT sits in all leadership meetings.
Summarizing Results Example Summary Heat Map Objective Area Objective Risk 1. Strategic IT utilizes a The business strategic Alignment collaborative plan does not exist or Strategy approach with the is not clearly defined business to develop to enable the an IT strategic plan development of an IT with a shared focus on strategic plan. IT investments. The IT strategic plan does not exist or is not aligned with the business strategy. CIO and key The IT strategic plan is stakeholders, not clearly including Board of communicated to key Directors, are fully stakeholders. informed of IT objectives and strategies. Residual Risk Score Busines Busines Busines s Scope s Scope s Scope Residual Area 1 Area 2 Area 3 Risk Score 1-Low 2Medium 3-High 2.0 1-Low 3-High 2Medium 2.0 1-Low 3-High 2Medium 2.0 1.0 2.7 2.3 2-Medium
Deliverables IT Governance assessment presentations to executives which provided: Value opportunities from both an IT and a business perspective. IT and business residual risks should the value opportunities not be addressed. Improvement recommendations which apply to both IT and the business. Value propositions for improvement recommendations. Supporting research articles for recommendations. Where possible, baselines against industry standards, metrics, best practices, and the ITGI Survey.
IT Governance Presenting Assessment Results
Four Primary Themes of Value Opportunities in IT Governance A. Strategic and Tactical Communication B. Project Management and Prioritization C. Resource Management D. Risk Management & Monitoring Key Definitions: Related IT Governance Area: Related IT Governance Value Objective(s). Key Values Achieved: Benefits achieved by IT and the business from good IT Governance practices. Key Value Opportunities: Areas where IT Governance and business value could be improved. Potential Residual Risks: Potential risks to IT Governance if the Key Value Opportunities are not addressed. A D B C
ope Area 1 Value Strengths & Opportunities for IT Governance A. Strategic and Tactical Communication Related IT Governance Area(s): 1 - Establishment of an IT Governance Framework 2 - Strategic Alignment Key Values Achieved: IT decisions in line with the business’s strategies and objectives. A consistent approach for a governance framework achieved and aligned with the business approach. Processes overseen effectively and transparently. Stakeholder requirements for governance likely to be met. IT more responsive to the business’s objectives. IT resources helping to facilitate the business goals in an efficient and effective manner. IT capabilities enabling opportunities for the business strategy. Key Value Opportunities: Integrate IT objectives within a 3-5 year business strategic plan. Introduce tools and processes to formalize communication of a business and IT strategic plan. Potential Residual Risks: The IT strategic plan may not be clearly communicated to all key stakeholders. The IT portfolio may fail to support the business’s objectives and strategies. Remedial actions to maintain and improve IT process effectiveness and efficiency may not be identified or implemented. Strategy Met rics/ SLA s A Tac tic s Risk Mgmt Benchmarked using COBIT v4.1, Maturity Model for ME4: Provide IT Governance
Success Factors for an IT Governance Culture Tone at the Top! Enable thought leadership in people under the Executive level. Clearly define and communicate value opportunities of IT Governance. Incorporate involvement by both IT and the business to ensure collaboration and defined partnership. Ensure agreement and understanding of IT Governance processes by both IT and the business. Relate business and IT strategies and objectives back to their technology enablers.
Success Factors for an IT Governance Culture Implement an IT Governance culture as a continual self-assessment process that: Understands and aligns business strategies to tactics. Understands the associated risks related to the business strategies and tactics. Monitors risks through metrics in order to identify business unacceptable risk levels. Changes the business’s strategies and tactics when management’s ‘risk appetite’ reaches unacceptable levels.
IT Governance QUESTIONS?
