Beruflich Dokumente
Kultur Dokumente
Technology
Committee
IT Monitoring
Issued by the
International
Federation of
Accountants
This Guideline of the Information Technology Committee was
approved for publication by the International Federation of Accountants
in April 2002.
Technical Director
International Federation of Accountants
535 Fifth Avenue, 26th Floor
New York, NY 10017 USA
Fax: (212) 286-9570
Copies of this paper may be downloaded free of charge from the IFAC
website at http://www.ifac.org.
ISBN 1-887464-84-0.
Contents
PAGE
Contents..................................................................................................3
PREFACE.............................................................................................. 5
EXECUTIVE SUMMARY................................................................................ 1
WHAT IS IT MONITORING?.....................................................................1
KEY/CORE PRINCIPLES.............................................................. 2
WHEN?...............................................................................................4
WHO?................................................................................................ 4
WHAT IS IT MONITORING?........................................................................ 8
KEY/CORE PRINCIPLES:........................................................... 13
WHEN?................................................................................................ 22
WHO?.................................................................................................. 22
MANAGEMENT GUIDELINES..................................................................24
MANAGEMENT GUIDELINES..................................................................27
MANAGEMENT GUIDELINES.................................................................. 31
Executive Summary
What is IT monitoring?
2. Those responsible for IT governance need first to set
measurable goals, then delegate the execution to executive
management and, finally, regularly verify that performance
matches the goals. If goals and measures are not in line, the
governance body needs to take corrective action, provide
redirection or, possibly, reconsider the original goals.
Monitoring of IT is enabled by the definition of relevant
performance indicators, the systematic and timely reporting of
performance and prompt acting on any deviations identified.
IT monitoring is especially important because of the
complexity and risk involved in IT activities. It has the
business goals of ensuring the delivery of information to help
the organization achieve its objectives and ensuring the
achievement of performance objectives for the IT function.
IT monitoring covers:
how IT sustains the business with operational processes
and risk and control systems;
whether IT complies with business strategy, standards and
policy;
1
IT Monitoring
KEY/CORE PRINCIPLES
COMPREHENSIVENESS— Any monitoring activity has
to be comprehensive, based on simple and consolidated
measures focusing on exceptions.
RELEVANCE — Any monitoring activity has to be
relevant to the mission, vision, goals and strategy of the
enterprise.
ACCEPTABILITY — An effective monitoring approach
has to be acceptable to those being monitored. This means
not invading their privacy and not intruding into their
day-to-day responsibilities.
TIMELINESS — To make correct and expedient
decisions, monitoring data must be available to detect
deviations that need to be reported immediately.
VERIFIABILITY — Information obtained by the
monitoring process should be verifiable by other means –
thus, it should be accurate and, whenever possible, it
should be based on fact.
ACTION-ORIENTED — Any form of monitoring must
enable expedient corrective action.
FLEXIBILITY/ADAPTABILITY — The monitoring system
should be easily adaptable to provide accurate, relevant
and timely information in a changing environment.
2
Executive Summary
3
IT Monitoring
When?
6. Monitoring is necessary always whenever IT is used within an
organization: from planning and organization, acquisition and
implementation to delivery and support. For effective IT
governance, monitoring is absolutely crucial.
Who?
7. Everyone who has a specific role and/or responsibility for
achieving IT goals and processes must be involved in
monitoring IT. Effective monitoring involves the entire
organization, as information is captured, consolidated and
reported up the various management levels.
4
Why is Monitoring of IT Important?
5
IT Monitoring
6
Why is Monitoring of IT Important?
Financial
# of IT
customers
Cost per IT
customer
Cost-
efficiency
of IT
processes
up
Delivery of
IT value
per
Custome employee
r
Process
Availability
Level of of systems
service and
delivery services
up Developmen
Satisfaction ts on
of existing schedule
customers and
Informati budget
# of new
customers on Throughput
reached and
# of new response
service times
delivery Amount of
channels errors and
rework
Learnin
g
Staff
productivity
and morale
# of staff
trained in
new
technologies
/services
Value delivery
per
employee up
Increased
availability
of 7
knowledge
systems
IT Monitoring
Control
Device
Comparison
with standard
Observed (assessor)
information about
what is happening
(detector)
What is IT Monitoring?
15. Monitoring is fundamental to any control system. Monitoring
is the process of observing what is happening (detection) and
comparing it to a standard that has previously been set
(assessing). While strictly not part of monitoring, the
communication that results with the aim of altering observed
behavior may not be ignored.
8
What is IT Monitoring?
17.
Set Comp
measur are
result
able s
goals
9
IT Monitoring
Provide
Direction
IT
Set
Activiti
Objectives
IT is aligned es
with the
business,
enables the Increase
business, automation
and (make the
maximizes business
benefits effective)
IT resources Decrease
are used cost (make
responsibly the
IT related enterprise
risks are efficient)
managed Manage risks
appropriately (security,
reliability and
compliance)
Measure
Performa
nce
10
What is IT Monitoring?
11
IT Monitoring
12
What IT Monitoring Tools are Available?
KEY/CORE PRINCIPLES:
COMPREHENSIVENESS — Any monitoring activity has
to be comprehensive, based on simple and consolidated
measures, focusing on exceptions.
RELEVANCE — Any monitoring activity has to be
relevant to the mission, vision, goals and strategy of the
enterprise. Alignment of the IT strategy to the enterprise
strategy is a critical success factor for successful IT
governance.
ACCEPTABILITY — An effective monitoring approach
has to be acceptable to those being monitored. This means
not invading their privacy and not intruding into their
day-to-day responsibilities. The “tone at the top” and
maturity level of the internal control systems are essential
to achieving acceptability.
TIMELINESS — To make correct and expedient
decisions, monitoring data must be available to detect
deviations that need to be reported immediately. The
frequency of monitoring different activities of an
organization should be determined by considering the
risks involved and the frequency and nature of changes
occurring in the operating environment.
VERIFIABILITY — Information obtained by the
monitoring process should be verifiable by other means.
Thus, it should be accurate and, whenever possible, it
should be based on fact. (It should be noted that obtaining
an opinion/feeling is also part of the governance process –
actually, future predictions to drive the strategy are not
always based on fact.)
ACTION-ORIENTED — Any form of monitoring must
enable expedient corrective action. Executive
management must ensure that the monitoring function is
13
IT Monitoring
14
What IT Monitoring Tools are Available?
F in a n c ia l
Me tives
Tar res
ves
Init ts
a su
ge
jec
iati
“ T o s u c c e e d f in a n c ia lly , h o w
Ob
d o e s I T c o n t r ib u te t o th e
o r g a n iz a tio n s s u c c e s s ? ”
C u s to m e r I n te r n a l B u s in e s s P r o c e s s
VV isis io io nnn
Me tives
“ T o a c h ie v e o u r “ T o s a tis f y o u r
Tar res
Me tives
ves
V is io
Tar res
ves
Init s
a su
jec
Init ts
get
as u
v is io n , h o w s h a r e h o ld e r s a n d
jec
iati
ge
Ob
Ob
s h o u ld IT s u p p o r t c u s to m e rs , w h a t
o u r c u s to m e rs ? ” ssStttrraa ttee ggg yyy IT p r o c e s s e s
m u s t w e e x c e l a t? ”
L e a r n in g a n d G r o w th
M e t i v es
Tar res
ves
s
asu
j ec
get
iati
“ T o a c h ie v e o u r v is io n ,
Ob
Init
h o w w ill w e s u s t a in o u r
a b ilit y t o c h a n g e im p r o v e
o u r I T e n v ir o n m e n t? ”
15
IT Monitoring
16
What IT Monitoring Tools are Available?
17
IT Monitoring
18
What is the Best Approach to Implement IT Monitoring?
19
IT Monitoring
20
What is the Best Approach to Implement IT Monitoring?
21
IT Monitoring
WHEN?
31. Monitoring is necessary always whenever IT is used within an
organization: from planning and organization, acquisition and
implementation to delivery and support. Monitoring is crucial
for effective IT governance and occurs in a planned manner
whenever goals are being verified but also in a continuous and
ad hoc fashion when monitoring for risks, faults or defects.
WHO?
32. Chief executive officers, chief information officers, other
executive management, process owners, users and information
systems auditors all have roles and responsibilities in
monitoring IT’s goals and processes. An effective monitoring
system, like any successful management information system,
involves the whole organization in that monitoring
information is captured, consolidated and reported up, at all
levels.
22
M1 – Monitoring the processes
23
IT Monitoring
2. Assessing Performance
Services to be delivered by the IT function should be measured (key
performance indicators and/or critical success factors) by management
and be compared with target levels. Assessments of the IT function
should be performed on a continuous basis.
4. Management Reporting
Executive management should receive, for review, reports on the
organization’s progress toward identified goals. Management should
also receive status reports on the extent to which planned objectives
have been achieved, deliverables obtained, performance targets met and
risks mitigated. Once management has reviewed the reports, it should
take whatever appropriate action is deemed necessary.
Management Guidelines
Critical Success Factors
Useful, accurate and timely management reports are available.
Processes have defined and understandable key goal indicators and
key performance indicators.
Measurements of IT performance include financial, operational,
customer and organizational learning criteria that ensure alignment
with organization-wide goals and that can be integrated with tools
such as the IT balanced business scorecard.
There are clearly understood and communicated process
objectives.
A framework is established for defining and implementing IT
governance reporting requirements.
A knowledge base of historical performance is established.
24
M3 – Obtaining independent assurance
25
IT Monitoring
26
M3 – Obtaining independent assurance
Management Guidelines
27
IT Monitoring
28
M3 – Obtaining independent assurance
29
IT Monitoring
30
M3 – Obtaining independent assurance
Management Guidelines
31
IT Monitoring
32
Security and Risk Monitoring
34
Additional IT Measures to Monitor
36