BIT2318: Topic 3

IT GOVERNANCE

Essential of IT in todays
business
Challenges and concerns are:
Aligning IT strategy with the business strategy
Cascading strategy and goals down into the
enterprise
Providing organizational structures that
facilitate the implementation of strategy and
goals
Insisting that an IT control framework be
adopted and implemented
Measuring IT's performance

IT without Governance

is reactive, unable to plan, acquire or

develop the correct skills or understand
priorities.
For instance, without a structured
process, all projects are number-one
priorities. With budgets being flat or
minimally increasing, it is difficult to
know where to focus.

IT Governance

IT governance processes allow IT to understand and manage IT-enabled business

change.

IT governance framework addresses

strategic alignment
performance measurement
risk management
value delivery and
resource management.

Effective application of ITG FW - responsibility of the board of directors and

executive management.

Integral part of enterprise governance and consists of the leadership and

organizational structures and processes that ensure that the organization's IT
sustains and extends the organization's strategies and objectives.

An IT governance framework, such as Control Objectives for Information and related

Technology (COBIT) can be a critical element in ensuring proper control and
governance over information and the systems that create, store, manipulate and
retrieve it.

Best Practice of ITG leads to..

Align IT/IS goals with companys goals
strategic role of senior management, not
tactical
Establish accountability
- Individuals be held responsible for their
action (clear process, procedures, job
etc)
- Responsibility of employees and builds
up to top management.

ITG Structure

How to establish ITG?

Create IT Strategy / Steering Committee:
To evaluate IT strategy and process (DAIM) to
ensure it supports organizations strategies
ALIGNMENT.
Develop policies and procedures: DAIM of
systems or IT-based projects.
Define job rules
Execute good HR practices
Perform risk assessment and periodic audits:
to ensure management receive sufficiently &
timely info about IT performance.

Auditors Role in IT Governance

Provide guidance & recommendations to

senior management:
Learn the organization goals & objectives,
MS
Review IT Strategic Plan IT project planning
3-5 years
Analyze Organizational Chart roles and
responsibilities of employees.
Study Job Description level of responsibility
and accountability of ones actions.
Evaluate existing Policies & Procedures
approved activities of employees.

IT Steering Committee (Fig.

2.2)

Business Management CEO

IT Management CIO or representative
Legal Legal Executive
Finance CFO for financial guidance
Marketing
Sales Senior Manager
Quality Control IT usage meets required standard
Research & Development IT meet needs of new
products
Human Resource IT efforts benefit and fair to
employee

IT Steering Committee
Responsibility:

Review major IT projects, budgets and

plans.
Formal charter
Provides strategic guidance but NOT
involve in daily activities of IT
Department.

Organizational Structure

Design

structure of IT function is
influenced by cultural, political and
economic forces.
Example:
CEO
VP Foreign
Operations

Sales & Mktg

Manager

HR Manager

VP Local
Operations

Finance &
Accounting

VP IT

IT Manager

R&D

IT Organizational Structure
IT Function
Manager

SD Manager

Computer
Operations
Manager

Computer
Security
Manager

User Services
Manager

-System
Analysis
- Computer
Programming
-DBA
-QC

-Data Input
-Info
Processing
-Info Output
-Continuity of
Operations

-SW Security
-Info Security
-Network
Security
-Physical
Security

-Technical
Support
-Application
Support
- User Training
- Help Desk

Internal Control consideration- separation of

duties

IT Strategy

IT Strategy must align with Business Strategic Plan.

IT Function Objectives include:
Create atmosphere that embraces innovation and change.
Apply HW and SW technologies to opportunities that promote
prosperity.
Incorporate enterprise wide system to facilitate coordination of
business activities.
Develop technology-based communications network capable of
linking suppliers, customers and employees.

IT Strategy

IT Objectives set foundation for IT Strategy.

IT Strategy details HOW IT function will achieve its

objectives through organizational structure,
relationship with others and IT configurations.

Ex: IT function will use a decentralized form of

organization that is adaptable to dynamic nature of
company. Consists of CIO, with delegates will strive
to cooperate and coordinate with all internal
information customer to ensure companys
information system is fully integrated, business
processes and IT infrastructure meet ever changing
demand..

IT Function should
Develop Strategic IT Plan.
Articulate information architecture.
Find optimal fit between IT and companys
strategy
Maximize IT investment
Communicate IT policies to user
Conduct IT risk assessment
Incorporate sound project management
techniques.

The relationship between a policy, standard, guideline,

and procedure

Organizational IT Policies,
Standards and Procedures

Reflect managements view of company.

POLICY to cover most aspect of organizational control to meet
legal and business requirements.
Who is responsible and what standards must be upheld to meet
minimum CG requirements.
Dictate how activities occur in each of the functional areas.
Policy Development : Top down vs Bottom up
Policies must address:
(i) Regulatory organizations standard meet local, state and
federal laws.
(ii) Advisory consequences of employees behavior and actions
eg. Internet use
(iii) Informative to inform employees/customers. Eg. Return
policy for internet sales
Security Policy dictates managements commitment to the use,
operation and security of IS and assets.
Disaster Recovery and Business Continuity Policy

Auditors part on Policy

Look closely at policy to understand how
specific process functions.
eg. DCRP policy: HW, SW, backup media,
site
- Examine these critical documents, any
findings be referenced back to the policy.
- Verify how well policy actually maps to
activity.
- Reviewed to ensure policies are current.
-

Procedures
Step by step instruction, detailed documents
tied to specific technologies and devices.
How policy should be carried out. Eg. DCRP
More dynamic than policy to stay relevant
with changes in processes, equipment etc.
Auditors part?
- Review relevant procedures and map to
employee behavior through observation or
interview.
- Misalignment? No procedure / not effective /
lack of training on procedures.

Standards and Guidelines

Standard

mandatory requirements to be
adhere. Eg. E-mails encryption, password
length.

Guidelines

statement in policy or
procedure to determine a course of
action.
Best practices
Not mandatory

Reviewing Documentation
To

verify that documents are being used

as the way management has authorized
and intended to be used.
Internal HR document, QA document,
Operation Manuals, IT forecast and
budgets, Security policy, Organizational
chart, Job details.
External Vendors Contract, bidding
process

Potential Problems
Excessive

costs
Budget overruns
Late projects / aborted projects
Unsupported HW changes
Lack /outdated documentation
Employees unaware about
documentation

PERFORMANCE MEASUREMENT

Activities to ensure organizational goals are met effectively and

efficiently.
Mechanism financial and non financial
Balanced Scorecard (Kaplan & Norton, 1996):
Customers perspective: Users Satisfaction towards system
reliability, ease of use, IT staff.
Internal operations: Operational Performance eg. No. of security
breaches, no. of backlogged request, % of downtime.
Innovation and learning: Adaptability and Scalability eg. Ease of
integrating new technology to existing architecture, IT growth.
Financial evaluation: profit, market share, ROI, NPV, Transaction
cost pre and post IT project.

Performance Review
Performance

review refers to the

identification of a target to be
monitored, tracked, and assigned to a
responsible party, and the resolution of
any open issues.
Existing systems require a regular
review to determine the ongoing level
of compliance to internal controls and
the next steps to take.

Capability maturity Model

(CMM)

The Capability Maturity Model (CMM) is a method for

evaluating and measuring the maturity of processes in
organizations.
A rating scale from 0 to 5 is used. A score of zero indicates
that nothing is occurring.
Level 1 maturity indicates that the initial activity was
successful and may later progress up to level 5, when the
activity is statistically controlled for continuous
improvement.
The CMM rating scale was developed by the Software
Engineering Institute at Carnegie Mellon University and has
been widely used for rating business process capabilities.

Level 0
Level

0 = Nothing yet The level of zero

is implied in the CMM but may not be
noticed. This is important when evaluating
process maturity.
Missing processes and controls without
evidence will be rated as zero. Many
individuals assume that all controls are
present when, in fact, some may be missing.
A process or control must have occurred in
order to reach a level of maturity (15).

Level 1
Level

1 = Initial Processes are unique and

chaotic. The organization does not have a
stable environment. Success is based on
individual competencies and heroics. This level
often produces products and services that
work.
However, output may exceed the available
resources or be dependent on specific
individuals. At level 1, people have the most
freedom and flexibility to make their own
decisions.

Level 2
Level

2 = Repeatable Processes are

repeatable. The organization uses
project management to track
projects. The project status is
communicated by using milestones with
a defined work breakdown structure.
The basic standards, processes,
descriptions, and procedures are
documented.

Level 3
Level

3 = Defined Processes are

well documented and understood.
Level 3 is more mature and better
defined than level 2. Processes have
objectives, measurements,
improvement procedures, and
standards.
The results in level 3 are predictable by
qualitative measure.

Level 4
Level

4 = Managed Management
can use precise measurement
criteria to control the processes
and identify ways to adjust the results.
Processes at level 4 are predictable by
quantitative measure.

Level 5

Level 5 = Optimized This is the highest level,

with continuous improvement of processes.
Objectives for improvement are defined and continually
revised to reflect business needs and objectives.
Products at CMM level 5 have been so well defined that
they are effectively converted into a commodity.
Level 5 is the ideal maturity for the maximum level of
control in outsourcing. It allows the company to switch
to using less-skilled people who are told what to do,
pay less, and demand unquestionable authority.
People have the least authority with the fewest
decisions at level 5.

IT Resource Investment
Funding

IT Operations
Acquiring IT Resources
Staffing IT Function
- Hiring
- Rewarding
- Terminating

RISK MANAGEMENT
Risk

Management Team
Asset Identification
Threat Identification
Risk Analysis Method
- Quantitative
- Qualitative

Key Planning Risk Indicators

Strategic planning not used.
IT risks not assessed.
Investment analysis not performed.
Quality assurance reviews not conducted
Plans and goals not communicated
IT personnel are disgruntled.
Technology infrastructure inadequate.
User unhappy with support.
Managements information needs not meet.

Monitoring and Assurance of IT

Performance
Management

Practices and Controls

- Employee Management
- Sourcing
- Change Management and Quality
Improvement
Personnel Roles and Responsibilities
- Employees Roles and Duties
- Segregation of Duties
- Compensating Controls

Monitoring and Assurance of IT

Performance
Controlling IT Functions
1. Security Controls
- Physical Security
- Logical Security
2. Information Controls
- Input Controls
- Process Controls
- Database Controls
- Output Controls

Monitoring and Assurance of IT

Performance
3.Continuity
-

Controls
Backup Controls
Data Backup
Hardware Backup
Disaster Recovery Controls

CONCLUSION

Effective management of IT Function is a critical success factor in

ensuring economic viability of an organization.
ITG from Top to down
Goals of IT/IS Function aligns with organizations goals.
Auditors Task:
Review documents, standards and policies to determine how
closely they match employees activities.
Review job roles and responsibilities to understand the risks
individual might poses to the company.