SAIMA RAHMANZAI – IT AUDIT DIRECTOR SCOTT SMITH – IT SUPERVISING SR. Auditing IT Governance
S A I M A R A H M A N Z A I – I T A U D I T D I R E C T O R
S C O T T S M I T H – I T S U P E R V I S I N G S R .
Auditing IT Governance
What is IT Governance?
‘A set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly’. (ITGI)
IT Governance Roles and Responsibilities
It is the responsibility of the Board of Directors to ensure that IT along with other critical activities is adequately governed.
IT Governance Roles and Responsibilities
Common IT Governance Frameworks
The IT Governance Institute (ITGI) and COBIT 5: ITGI was established in 1998 in recognition of the increasing
criticality of information technology to enterprise success.
COBIT5 established in 2012 is a control framework that provides best practices, tools and guidance for the effective management and governance of enterprise IT.(supersedes COBIT 4.1)
Global Technology Audit Guide (GTAG) 17 Auditing IT Governance: IIA standard provides guidance on how to address
governance as part of internal audit engagements required by Standard 2110.
Why does IT Governance Matter?
Business processes reliance on IT
IT Governance can help organizations and the Executive Management as follows: Align Business with IT which promotes transparency and
accountability and focus.
Focus on IT efforts on enterprise goals and therefore spending scarce resources wisely adds value.
Understand IT risks and make better decisions to keep them in check and avoid regulatory scrutiny.
Monitor IT metrics to ensure IT efforts are on track and are effectively and efficiently achieving strategic goals.
Use and manage Resources (Human skills and IT Assets) efficiently and effectively reducing both risks and costs.
ITGI’s Five Focus Areas of IT Governance
Strategic Alignment:
Are IT goals aligned with business goals
Value Delivery: Can we measure the value to Business by IT investments
Risk Management: Addressing and managing risk inherent in IT that could hamper
business goals if not dealt with
Resource Management: Managing resources including people, processes and technology
Performance Management: Metrics to evaluate IT performance and monitor IT progress
Strategic Alignment
Strategic Alignment
Provide for strategic direction of IT and the alignment of IT and the business with respect to services and projects (Tone at the top)
ITGI Survey: Of the 255 interviews, three quarters of survey respondents indicated IT is aligned with Business, there are still some that lacked the alignment.
Alignment can be accomplished by: Organizational change – Business Partners
CIO is part of the executive team.
Create a formal IT Strategy committee
Value Delivery
Value Delivery
Addresses the question: Does IT delivers the promised benefit to the business?
ITGI Survey: Three quarters of the survey respondents agreed that IT can generate value for the enterprise but half of the respondents admitted that there are barriers that prevent the enterprise realizing full value from IT investments. Top on the list are: Difficulty in implementing applications
Culture of the Organization
The survey indicated that a surprising number of enterprises do not measure the value of their IT investments
Risk Management
Risk Management
Processes are in place to ensure that IT risks have been adequately managed. Include assessment of the risk aspects of IT investments.
Highly regulated institutions Boards are under pressure to understand IT risks and monitor them.
Business managers are under pressure as faced with technical complexity, dependence on number of service providers with limited reliable risk monitoring information. There concern is if the risk is cost effectively addressed.
Resource Management
Resource Management
Ensures there is an adequate IT capability and infrastructure to support current and expected future business requirements.
Covered here at a high level:
Change Management
IT Asset Management
Architecture Policies and Standards
IT processes (including Demand Management) and procedures
Performance Management
Performance Management
“Not having performance metrics is like driving a car with a blacked out windscreen and no instruments”
Verify strategic compliance, i.e. Achievement of strategic IT objectives. Review the measurement of IT performance and the contribution of IT to the business (i.e. delivery of promised business value).
ITGI Survey: More then half of the survey respondents stated IT is discussed on a case-by-case (ad-hoc) basis at the Board level. 59% of them focus on IT Operational Performance
Metrics should be Simple and easy to collect Board to focus on strategic metrics (including IT projects
and costs and meeting ROI) and not so much related to the detailed IT operations
Capability Maturity Model
Developed by Carnegie Mellon Software Engineering Institute
and later adopted by ITGI for COBIT Framework. Levels are: 0 Non-existent 1 Initial/Ad Hoc 2 Repeatable but Intuitive 3 Defined Process 4 Managed and Measurable 5 Optimized
Not everything is scored a 5. Pick level appropriate & reasonable, given the enterprise resources, industry and strategic priorities.
CMM Template (Source: Protiviti)
Audit Methodology
Focused on the Five IT Governance Focus Areas
Interviewed IT and executive management to assess the maturity - Present and Desired state for each of to five focus areas (using CMM)
Audit’s assessment of maturity level comparing present with the last audit’s maturity
Provided recommendations and shared the comparison analysis with Management
Strategic Alignment
Artifacts/Sources Business Strategic Plans IT Strategic Plan Executive/IT Steering Committee minutes Board minutes Interviews with Executive Leaders and IT Leaders
What does good Strategic alignment look like? Organizational structure conducive for alignment (steering committee, Business
Partners) IT as Business Partner rather than an order taker Project prioritization done transparently based on set criteria that all agree upon. Environment that encourages Enterprise initiatives rather than Division
initiatives Formal documented strategic plans IT Strategic Plan created in conjunction with business strategic plans(a focused
approach on implementing strategic goals)
Value Delivery
Artifacts/Sources Sample of project documentation (including Business cases) across
divisions if completed and standardized Evidence to show follow-up on budgeted ROI (did IT investment
realized the value/benefit promised) Discussions with Finance & IT Management (IT spend
benchmarking, Analysis on IT Projects spent on business initiatives vs. Business Support
Good process for Value Delivery? Business cases, requirements exist across all projects using the same
criteria to aid with prioritization Monitoring processes in place to ensure value was realized
One of the areas Management tend to have desired state to be close to optimized
Risk Management
Artifacts/Sources Board/Committee minutes evidencing IT risk Management
communication to board and approval of Information Security Policies
Minutes from the ERM committee and other committees where detailed IT Risk metrics are shared
Enterprise IT risk assessment process documentation Discussions with CISO, Executive and IT Management
What does good Risk Management look like? Formal Information Security Program Involvement of Information Security personnel in projects, changes,
attendance in key committees Mature ERMC Processes Transparency of IT risk profile to the Board and executive
management
Resource Management
Artifacts/Sources Policies/Procedures and standards related to:
staffing strategies for IT projects and existence of skill set inventory Demand Management procedures IT Asset Management including software and hardware life cycle refresh Architecture and Capacity Planning Plans/Projects on IT infrastructure modernization
What does good Resource Management look like? A sound and formal IT Demand Management with the right stakeholders
involved (standard prioritization process across enterprise, rolling 12 month plan of IT projects, formal approval processes done transparently etc.)
Processes to identify any gaps early when supply and demand do not match. Taking a proactive approach to keep IT application and infrastructure
resources current so demands can be met more efficiently and securely
One of the areas Management tend to have desired state to be close to optimized
Performance Management
Artifacts Board/Committee and ERMC minutes where performance metrics
are reported on projects, system availability, performance and capacity, IT risks, services etc. (some may have IT Balanced Scorecards)
Service Level agreements
What does good Performance Management look like? Board role in monitoring strategic KPI including projects to ensure
strategic goals are getting accomplished and IT is adding value
An enterprise framework to measure, collect and report KPIs in an efficient manner
Normally you will find a gap in this area mainly due to difficulty in collecting useful metrics efficiently.
Focus Areas Interdependencies
All these five focus areas are interconnected
Not having a good Strategic Alignment could affect negatively value delivery
Risk Management processes may be formalized however if Resource Management not up to par could affect negatively risk management (e.g. not refreshing IT assets could introduce vulnerabilities, not having a good staff skill set inventory could delay or failure of IT projects etc.)
Performance Management can be efficient once IT resources are more integrated to provide pertinent metrics readily
Focus Area Report Example
Success Factor Dependencies
Tone at the Top is very crucial. Need Executive Leadership buy-in and support.
CAE involved in the IT Governance Audit more so than in other Audits Be prepared to talk to the C level Executive Leaders. IT auditor involved in
IT Leadership meetings on an ongoing basis is key. There is a difference between IT way of thinking and Business way of
thinking. This Audit bridges the gap as candid discussion and ideas on both side fully transparent.
Be patient! This is not a normal “controls” testing audit. Implementation may involve cultural change and introduction of new ways of doing things. Not easy and may take time.
Include all stakeholders in the report. Continue to bring to management’s attention where processes should be
enhanced even after the Audit is completed (consulting).
Great Opportunity for Auditors to make a difference
Questions?